[prev in list] [next in list] [prev in thread] [next in thread]
List: caldera-announce
Subject: Caldera Security Advisory 96.02: Vulnerability in Perl's suidperl
From: Ron Holt <ron>
Date: 1996-07-02 4:47:20
[Download RAW message or body]
Caldera Security Advisory SA-96.02
June 30th, 1996
Topic: Vulnerability of Perl suidperl program
I. Problem Description
A vulnerability exists in systems such as CND 1.0 that contain the
suidperl program. By exploiting this vulnerability, anyone with
access to an account on such a system may gain root access. The
problem exists in both Perl versions 4 and 5. There exist simple
Perl scripts, although executed by an unprivileged user, that can
give root access.
The vulnerability takes advantage of the suidperl program and
kernels such as Linux that support saved set-user-ID and saved
set-group-ID. Saved set-user-IDs and set-group-IDs are sometimes
referred to as POSIX saved IDs. suidperl is also known as sperl
followed by a version number, as in sperl5.002.
II. Impact
On a system that has the suidperl or sperl program installed
and that supports saved set-user-ID and saved set-group-ID (such
as CND 1.0), anyone with access to an account on the system can
gain root access.
III. Solution / Workaround
Perl version 4 should be removed from your system if present. This
version of Perl is no longer supported. No updated version will
be made available. You can check to see if Perl 4 is on your system
by executing "rpm -q perl4". This command will either print the
exact version of Perl 4 installed or the message "package perl4 is
not installed". To remove Perl 4, execute "rpm -u perl4".
The best solution to the problem is to install a corrected version
of Perl 5. This is the recommended procedure and is described below.
Alternatively, there are several workarounds for the vulnerability:
Until you can install a patch, we recommend disabling suidperl:
su -
cd /usr/bin
chmod ug-s suidperl sperl*
Another alternative to installing a new version is to install Larry
Wall's fixsperl script noted below. fixsperl is a script that replaces
the suidperl and sperl programs with a wrapper that eliminates the
vulnerability. The script is available from CPAN archives such as
ftp://ftp.funet.fi/pub/languages/perl/CPAN/
as the file:
File src/fixsperl-0
MD5 Checksum f13900d122a904a8453a0af4c1bdddc6
Note that this script should be run one time, naming every
suidperl or sperl file on your system. If you add another version
of suidperl or sperl to your system, then you must run fixsperl
on those newly installed versions.
However, the recommended option is to install the following version
of Perl 5:
ftp://ftp.caldera.com/pub/cnd-1.0/updates/perl-5.003-2.i386.rpm
Note that this version, unlike the Red Hat version of the same name,
is compatible with CND 1.0 (it's compiled with Linux 1.2.13 header
files, libc 5.0.9 and created with RPM 1.x).
If you are running a system that has been switched to Red Hat 3.0.3,
install "perl-5.003-2.i386.rpm" from Red Hat or one of its mirror
sites:
ftp.redhat.com/pub/redhat-3.0.3/i386/updates/RPMS
ftp.caldera.com/pub/mirrors/redhat/redhat-3.0.3/i386/updates/RPMS
In either case, this RPM can be updated with the command:
rpm -Uvh perl-5.003-2.i386.rpm
You can insure your version of Perl has this fix by executing:
perl -v
It should print something similar to:
This is perl, version 5.003 with EMBED
built under linux at Jun 30 1996 16:48:57
+ suidperl security patch
IV. References
ftp://info.cert.org/pub/cert_advisories/CA-96.12.README
-
Notes: To learn how to use this list server, email a "help" command to
majordomo@caldera.com.
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic