Return-Path: owner-bugtraq@SECURITYFOCUS.COM
X-Mailer: Mozilla 4.72 [en] (X11; U; Linux 2.2.16-2iwk i686)
X-Accept-Language: fr-CA, fr, en
MIME-Version: 1.0
References: <Pine.LNX.4.21.0008051913570.26685-100000@dione.ids.pl>
Content-Type: multipart/mixed; boundary="------------7100918AE444B985FFE367B3"
Message-ID:  <398F06C0.D63BEC48@iNsu.COM>
Date:         Mon, 7 Aug 2000 14:58:08 -0400
Reply-To: "Francis J. Lacoste" <francis.lacoste@INSU.COM>
Sender: Bugtraq List <BUGTRAQ@SECURITYFOCUS.COM>
From: "Francis J. Lacoste" <francis.lacoste@INSU.COM>
Organization: iNsu Innovations Inc.
Subject:      Re: sperl 5.00503 (and newer ;) exploit
To: BUGTRAQ@SECURITYFOCUS.COM

This is a multi-part message in MIME format.
--------------7100918AE444B985FFE367B3
Content-Type: text/plain; charset=iso-8859-1
Content-Transfer-Encoding: quoted-printable


Regarding the suidperl / mailx security problem, here are
two patches which closes the hole in perl and in mailx.

The perl bug is closed by using syslog rather than /bin/mail

The mailx patch (against 8.1.1 + redhat/debian patches) does
the following :

	- Do not lookup options in the environment.
  	- Do not read rc files when running with uid !=3D euid
	- Unset interactive when sending mail with uid !=3D euid
	  or when stdin is not a tty.


-- =

Francis J. Lacoste		     iNsu Innovations Inc.	=

CTA 				      T=E9l.: (514) 336-5544
francis.lacoste@iNsu.COM	      Fax.: (514) 336-8128
--------------7100918AE444B985FFE367B3
Content-Type: text/plain; charset=us-ascii;
 name="perl-5.00503-syslog.patch"
Content-Transfer-Encoding: 7bit
Content-Disposition: inline;
 filename="perl-5.00503-syslog.patch"

--- perl5.005_03/perl.c.dont-try-to-be-clever	Mon Aug  7 09:46:06 2000
+++ perl5.005_03/perl.c	Mon Aug  7 09:52:27 2000
@@ -20,6 +20,9 @@
 #include <unistd.h>
 #endif

+/* Use syslog rather than /bin/mail to notify of tricky perl behavior  */
+#include <syslog.h>
+
 #if !defined(STANDARD_C) && !defined(HAS_GETENV_PROTOTYPE)
 char *getenv _((char *)); /* Usually in <stdlib.h> */
 #endif
@@ -2220,16 +2223,17 @@
 	    if (tmpstatbuf.st_dev != PL_statbuf.st_dev ||
 		tmpstatbuf.st_ino != PL_statbuf.st_ino) {
 		(void)PerlIO_close(PL_rsfp);
-		if (PL_rsfp = PerlProc_popen("/bin/mail root","w")) {	/* heh, heh */
-		    PerlIO_printf(PL_rsfp,
-"User %ld tried to run dev %ld ino %ld in place of dev %ld ino %ld!\n\
-(Filename of set-id script was %s, uid %ld gid %ld.)\n\nSincerely,\nperl\n",
+		openlog( "suidperl", LOG_NDELAY|LOG_PID, LOG_AUTHPRIV);
+		syslog( LOG_ALERT,
+			"User %ld tried to run dev %ld ino %ld in"
+			" place  of dev %ld ino %ld!\n"
+			"(Filename of set-id script was %s, uid %ld "
+			"gid %ld.)\n\nSincerely,\nperl\n",
 			(long)PL_uid,(long)tmpstatbuf.st_dev, (long)tmpstatbuf.st_ino,
 			(long)PL_statbuf.st_dev, (long)PL_statbuf.st_ino,
 			SvPVX(GvSV(PL_curcop->cop_filegv)),
 			(long)PL_statbuf.st_uid, (long)PL_statbuf.st_gid);
-		    (void)PerlProc_pclose(PL_rsfp);
-		}
+		closelog();
 		croak("Permission denied\n");
 	    }
 	    if (

--------------7100918AE444B985FFE367B3
Content-Type: text/plain; charset=us-ascii;
 name="mailx-8.1.1.setuid.patch"
Content-Transfer-Encoding: 7bit
Content-Disposition: inline;
 filename="mailx-8.1.1.setuid.patch"

--- mailx-8.1.1/main.c.setuid	Mon Aug  7 14:27:56 2000
+++ mailx-8.1.1/main.c	Mon Aug  7 14:33:12 2000
@@ -233,14 +233,30 @@
 	input = stdin;
 	rcvmode = !to;
 	spreserve();
-	if (!nosrc)
-		load(_PATH_MASTER_RC);
-	/*
-	 * Expand returns a savestr, but load only uses the file name
-	 * for fopen, so it's safe to do this.
-	 */
-	load(expand("~/.mailrc"));
+
+	/* Only load command file if we are not running setuid
+	   - From under a setuid program or something */
+	if ( getuid() == geteuid() ) {
+		if (!nosrc)
+			load(_PATH_MASTER_RC);
+		/*
+	 	 * Expand returns a savestr, but load only uses the file name
+		 * for fopen, so it's safe to do this.
+		 */
+		load(expand("~/.mailrc"));
+	}
+	
 	if (!rcvmode) {
+		/* In send mode, turn off interactive if
+		   we are setuid or not running from
+      		   a terminal */
+		if ( value( "interactive" ) != NOSTR &&
+		     ( getuid() != geteuid() || !isatty(0)) )
+		{
+			char *interactive[] = { "interactive", NULL };
+			unset( interactive );
+		}	
+		
 		mail(to, cc, bcc, smopts, subject);
 		/*
 		 * why wait?
--- mailx-8.1.1/vars.c.setuid	Mon Aug  7 14:28:00 2000
+++ mailx-8.1.1/vars.c	Mon Aug  7 14:28:15 2000
@@ -110,7 +110,6 @@

 /*
  * Get the value of a variable and return it.
- * Look in the environment if its not available locally.
  */

 char *
@@ -120,7 +119,7 @@
 	register struct var *vp;

 	if ((vp = lookup(name)) == NOVAR)
-		return(getenv(name));
+		return NULL;
 	return(vp->v_value);
 }


--------------7100918AE444B985FFE367B3--