COMMAND
sperl5.003
SYSTEMS AFFECTED
Systems running sperl5.0003 and maybe others
PROBLEM
tarreau@aemiaif.ibp.fr found buffer overflow in sperl5.003. This
will allow local users gain root access, if SUID root. He made
exploit.
There is a buffer overflow in sperl5.003 that will let local
users get root access. Really cool thing about this exploit that
it uses a generic buffer overflow code, where you just tell it
the offset for the stack frame and if your right, you get root
(Assuming that there is a flaw in the program being attacked).
With the script provided, the exploit hacks out the stack frame
offset. If it fails, it adds one to the stack frame and tries
again (Which is really cool!) Below are links to two tgz files.
One is a precompile binary file and the other is the source.
Jason decided to keep them seperate because the source can be
used to find many buffer overflows in many programs and the
precompiled ones is only for sperl5.003 and sperl5.001. If you
think there is a buffer overflow bug in a program, grab the
sperl_spource.tgz and do the changes to make it use that program
and see if it works. With the source for this exploit you could
test alot of programs in a short amount of time without having to
bother with the joy of writing an exploit for every program that
you think needs testing. Credit goes to tarreau@aemiaif.ibp.fr
The Exploit:
http://www.ecst.csuchico.edu/~jtmurphy/exploits/sperlexp.tgz
for preompiled sperlexp.tgz and
http://www.ecst.csuchico.edu/~jtmurphy/exploits/sperlexp_source.tgz
for sperlexp_source.tgz.
David Luyer noted that the exploit tries offsets of 1170 to 1240.
Debian Linux with sperl5.00307 requires a value of 1169 (and is
vulnerable).
SOLUTION
Blow away suid bit (chmod 500 sperl5.003). Anyway, a patch for
5.003_97f has appeared on the Perl5-Porters list. The entire
codebase is being examined line by line to find any other such
conditions. Perl 5.003_97g was released as well. It should fix
that bug. Any other overflow problems will be caught and killed
before the 5.004 release.