From owner-freebsd-security  Tue Jun  3 08:30:37 1997
Return-Path: <owner-security>
Received: (from root@localhost)
          by hub.freebsd.org (8.8.5/8.8.5) id IAA04219
          for security-outgoing; Tue, 3 Jun 1997 08:30:37 -0700 (PDT)
Received: from cs.iastate.edu (cs.iastate.edu [129.186.3.1])
          by hub.freebsd.org (8.8.5/8.8.5) with ESMTP id IAA04135
          for <freebsd-security@freebsd.org>; Tue, 3 Jun 1997 08:30:01 -0700 (PDT)
Received: from sunfire.cs.iastate.edu (sunfire.cs.iastate.edu [129.186.3.46]) by cs.iastate.edu (8.8.5/8.7.1) with ESMTP id KAA15013; Tue, 3 Jun 1997 10:29:18 -0500 (CDT)
Received: from localhost (ghelmer@localhost) by sunfire.cs.iastate.edu (8.8.5/8.7.1) with SMTP id KAA16577; Tue, 3 Jun 1997 10:29:18 -0500 (CDT)
X-Authentication-Warning: sunfire.cs.iastate.edu: ghelmer owned process doing -bs
Date: Tue, 3 Jun 1997 10:29:16 -0500 (CDT)
From: Guy Helmer <ghelmer@cs.iastate.edu>
To: Michael Haro <perl@netmug.org>
cc: freebsd-security@freebsd.org
Subject: Re: Security problem with FreeBSD 2.2.1 default installation
In-Reply-To: <199706030320.UAA14616@netmug.org>
Message-ID: <Pine.HPP.3.96.970603101840.16150E-100000@sunfire.cs.iastate.edu>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Sender: owner-security@freebsd.org
X-Loop: FreeBSD.org
Precedence: bulk

On Mon, 2 Jun 1997, Michael Haro wrote:

> Hi, yesterday one of my users gained root access to my system. 
> They did it by exploiting a bug in /usr/bin/sperl4*
> Why does FreeBSD ship with a security hole?  Is this a new one that you didn't
> know about?  How can I remedy the problem?  Right now, I deleted the file from
> the server.  I am new to FreeBSD and would like to know how to fix it.

See the CERT Advisory CA-97.17 (sperl) for this problem at

ftp://info.cert.org/pub/cert_advisories/CA-97.17.sperl

dated May 29, 1997.  It would not have been known at the time FreeBSD
2.2.1 (or 2.2.2, for that matter) was released.  The simplest way to
overcome this vulnerability is to remove /usr/bin/sperl4.036 and
/usr/bin/suidperl, but setuid Perl scripts will no longer work.  (If you
have installed the Perl5 package and it was Perl version 5.003 or earlier,
you will also need to track down its sperl5.xxx & suidperl and remove
them.) 

FWIW, it's a fair bet that any UNIX release has security holes.  That's
why it's important to watch CERT, CIAC, and bugtraq, as well as your
vendor's mail list (e.g., freebsd-security@freebsd.org), for security
notices.

Guy Helmer

Guy Helmer, Computer Science Grad Student, Iowa State - ghelmer@cs.iastate.edu
http://www.cs.iastate.edu/~ghelmer