Date: Thu, 10 Aug 2000 19:29:31 +0200 (MET DST) From: "Vladimir Mencl, MK, susSED" <mencl@nenya.ms.mff.cuni.cz> To: freebsd-security@FreeBSD.ORG Subject: suidperl exploit Message-ID: <Pine.GSO.4.10.10008101904060.733-100000@nenya.ms.mff.cuni.cz>
next in thread | raw e-mail | index | archive | help
I just came over the suidperl + mail vulnerability in Linux, and I was wondering whether it would work in FreeBSD. (See http://www.securityfocus.com/bid/1547 for reference) When I tried the exploit, no effect could be observed. However, significant part of the exploit lies in the undocumented feature of /bin/mail program - interactive behavior and interpretation of ~! sequences, even for stdin not a tty, when the "interactive" environment variable is set. The second part of the exploit is in the fact, that, when the suid script dev+inode# identification changes, suidperl reports it to root by emailing in a very insecure manner - executing bin/mail in exactly the same environment as user provided for running suidperl - and passing the "interactive" variable. On FreeBSD, I've not observed the reporting email even after a fair amount of time devoted to cause the race-condition. Either because I've not succeeded in causing it, or because suidperl avoids reporting the issue. I've not found any security advisory regarding this - can anybody comment on this? Has there be a silent fix to this? Thanks Vlada To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.GSO.4.10.10008101904060.733-100000>