Re: Buffer overflow in sperl5.003

Jon Lewis (jlewis@inorganic5.fdt.net)
Sat, 19 Apr 1997 05:50:58 -0400

Messages sorted by: [ date ][ thread ][ subject ][ author ]
Next message: Aleph One: "[NTSEC] Re: @LERT - NT security flaw announcement"
Previous message: Aleph One: "[linux-security] Re: SECURITY: vulnerability in sperl"
Maybe in reply to: Murphy: "Buffer overflow in sperl5.003"

On Fri, 18 Apr 1997, David Luyer wrote:

> On Thu, 17 Apr 1997, Murphy wrote:
> > Attached is the source for the exploit. Since it requires some work to
> >be done to the compiled exploit (Stripping of 5 byte at the begining and
> >end of the binary), the precompiled Linux x86 exploit can be found at
> >http://www.ecst.csuchico.edu/~jtmurphy/localusers.html.
>
> Note that the exploit tries offsets of 1170 to 1240. Debian Linux with
> sperl5.00307 requires a value of 1169 (and is vulnerable).

I really like to use suidperl (too lazy to use C most of the time) so it's
really been bugging me that nobody has posted a fix other than chmod a-s.
I spent quite a while trying to figure out what the heck was going on in
the perl source, and after many failed attempts to stop this problem, it
hit me. It appears the tryall.sperl script just runs sperl with an
obnoxiously long argv[1] that happens to have some code tacked onto the
end. I couldn't figure out where exactly the buffer overrun was in perl
but I figured having really long args to perl is unlikely...so why not
limit them to 1024 chars each?

--- miniperlmain.c.orig Sat Apr 19 03:18:29 1997
+++ miniperlmain.c Sat Apr 19 05:40:10 1997
@@ -30,6 +30,15 @@
#endif
{
int exitstatus;
+/* begin hacking */
+ if (geteuid() != getuid() || getegid() != getgid()) {
+ int i;
+ for (i=0;i<argc;i++) {
+ if (strlen(argv[i]) > 1024)
+ exit(69);
+ }
+ }
+/* end hacking */

PERL_SYS_INIT(&argc,&argv);

The only uses for huge argv[1] I can think of is passing a "program" to
perl and suidperl doesn't allow that anyway.

This patch is really untested except that it does cause tryall.sperl and
tryall.generic to fail. I don't know for sure that it "fixes" the
problem, but it should at least keep the casual hacker at bay. It could
very well break some stuff...but why would you want to feed that much to
perl on the commandline?

------------------------------------------------------------------
Jon Lewis <jlewis@fdt.net> | Unsolicited commercial e-mail will
Network Administrator | be proof-read for $199/hr.
________Finger jlewis@inorganic5.fdt.net for PGP public key_______

Next message: Aleph One: "[NTSEC] Re: @LERT - NT security flaw announcement"
Previous message: Aleph One: "[linux-security] Re: SECURITY: vulnerability in sperl"
Maybe in reply to: Murphy: "Buffer overflow in sperl5.003"