sperl 5.00503 (and newer ;) exploit (fwd)
Michal Zalewski
lcamtuf w dione.ids.pl
Sob, 5 Sie 2000, 18:44:50 CEST
Owszem, off-topic, ale pomyslalem, ze moze Was zainteresowac - zwlaszcza
ze kilka osob z PLD prosilo mnie o podsylanie informacji o takich rzeczach
zanim je opublikuje... Wiec niniejszym to robie ;)
_______________________________________________________
Michal Zalewski [lcamtuf w tpi.pl] [tp.internet/security]
[http://lcamtuf.na.export.pl] <=--=> bash$ :(){ :|:&};:
=-----=> God is real, unless declared integer. <=-----=
---------- Forwarded message ----------
Date: Sat, 5 Aug 2000 18:39:22 +0200 (EEST)
From: Michal Zalewski <lcamtuf w dione.ids.pl>
To: BUGTRAQ w SECURITYFOCUS.COM
Subject: sperl 5.00503 (and newer ;) exploit
Not much to say (except I feel little bit stupid posting it) ... This
exploit gives instant root, at least on RedHat 6.x/7.0 Linux boxes I have
available for tests... And for sure, all other systems are vulnerable as
well - it's just maybe this code will need some refining / tuning /
minor changes...
Below you'll find brief description of vulnerability and exploit itself,
written by me. Please note - I didn't developed everything by myself, I
get great support from Sebastian Krahmer - see development history. I
still pray he won't get angry on me (probably he will) - but he should be
listed at first any time you're talking about this vulnerablity (he made
me think with his findings :P).
I don't know who should be blamed - perl vendors? /bin/mail vendors for
putting undocumented (at least on manpage) features? Hmm... I guess it's
nobody's fault ;)
Requires: +s perl; bash, gcc, make, usleep (yup, usleep; it's not
available on every system, but I have no time to rewrite everything in C;
you can grab this code from RedHat distro or so) will be good... Don't
mail me if you can't use it - it works.
And now, some reading.
#
# -- PLEASE READ THESE COMMENTS CAREFULLY BEFORE TRYING ANYTHING --
#
# Wonderful, lovely, world-smashing, exciting perl exploit. It works against
# +s suidperl, exploiting undocumented /bin/mail feature when perl wants to
# notify root on inode race conditions. Currently, tested under RH Linux.
#
# What's probably most shocking, buggy code has following comment inside:
# /* heh, heh */. I guess author wasn't laughning last.
#
# Development history of this exploit is really funny. I found this condition
# about 4 months ago, but thought it's useless (who wants to notify root?).
# I deleted my test code and didn't left any notes on it. Then, month after
# this discovery, Sebastian contacted me. He was working on perl exploit.
# He told me he don't know how to cause this condition to happen, but if only
# he realise how it can be done, he'll be able to use undocumented /bin/mail
# feature - environmental variable 'interactive', which, if set, causes
# /bin/mail to interpret ~! commands (subshell requests) even if stdin is not
# on terminal. And then I understood what I've done. I spent next month
# (yes! no kidding!) trying to recall WHAT THE FSCK was the condition. I
# remembered it was trivial, even annoying... And finally, now I'm able to
# reconstruct it.
#
# This exploit tries to fit in rather short, but reasonable time window in
# order to exploit bug. I tested it on fast, not overloaded Linux box, and
# I guess on slow machines it needs tunning. It needs anything setuid
# (/usr/bin/passwd is just fine), writable working directory and something
# around 4 minutes. Working directory should be mounted without noexec or
# nosuid options (if so, find something like /var/lib/svgalib etc).
#
# WARNING: On slow machines, it's quite possible this exploit will cause
# heavy load. Please test it when system is not overloaded and not used
# (eg. at night).
#
# I'd like to thank Sebastian Krahmer for his help (in fact, HE discovered it
# - I think I can say it without shame), and especially thank to several of
# my braincells that survived monitor radiation and made me recall this
# race condition.
#
# Send comments, ideas and flames to <lcamtuf w ids.pl>
# Tested with sperl 5.00503, but should work with any other as well.
#
# Good luck and don't abuse it.
#
_______________________________________________________
Michal Zalewski [lcamtuf w tpi.pl] [tp.internet/security]
[http://lcamtuf.na.export.pl] <=--=> bash$ :(){ :|:&};:
=-----=> God is real, unless declared integer. <=-----=
-------------- następna część ---------
Załącznik, który nie był tekstem został usunięty...
Name: xperl.sh
Type: application/x-sh
Size: 4621 bytes
Desc:
Url : /mailman/pipermail/pld-devel-pl/attachments/20040626/3d2d5574/xperl.sh
Więcej informacji o liście dyskusyjnej pld-devel-pl