Home page logo
/

bugtraq logo Bugtraq mailing list archives

Re: Buffer overflow in sperl5.003
From: jlewis () inorganic5 fdt net (Jon Lewis)
Date: Sat, 19 Apr 1997 05:50:58 -0400


On Fri, 18 Apr 1997, David Luyer wrote:

On Thu, 17 Apr 1997, Murphy wrote:
Attached is the source for the exploit. Since it requires some work to
be done to the compiled exploit (Stripping of 5 byte at the begining and
end of the binary), the precompiled Linux x86 exploit can be found at
http://www.ecst.csuchico.edu/~jtmurphy/localusers.html.

Note that the exploit tries offsets of 1170 to 1240.  Debian Linux with
sperl5.00307 requires a value of 1169 (and is vulnerable).

I really like to use suidperl (too lazy to use C most of the time) so it's
really been bugging me that nobody has posted a fix other than chmod a-s.
I spent quite a while trying to figure out what the heck was going on in
the perl source, and after many failed attempts to stop this problem, it
hit me.  It appears the tryall.sperl script just runs sperl with an
obnoxiously long argv[1] that happens to have some code tacked onto the
end.  I couldn't figure out where exactly the buffer overrun was in perl
but I figured having really long args to perl is unlikely...so why not
limit them to 1024 chars each?

--- miniperlmain.c.orig Sat Apr 19 03:18:29 1997
+++ miniperlmain.c      Sat Apr 19 05:40:10 1997
@@ -30,6 +30,15 @@
 #endif
 {
     int exitstatus;
+/* begin hacking */
+   if (geteuid() != getuid() || getegid() != getgid()) {
+       int i;
+       for (i=0;i<argc;i++) {
+           if (strlen(argv[i]) > 1024)
+               exit(69);
+       }
+   }
+/* end hacking */

     PERL_SYS_INIT(&argc,&argv);


The only uses for huge argv[1] I can think of is passing a "program" to
perl and suidperl doesn't allow that anyway.

This patch is really untested except that it does cause tryall.sperl and
tryall.generic to fail.  I don't know for sure that it "fixes" the
problem, but it should at least keep the casual hacker at bay.  It could
very well break some stuff...but why would you want to feed that much to
perl on the commandline?

------------------------------------------------------------------
 Jon Lewis <jlewis () fdt net>  |  Unsolicited commercial e-mail will
 Network Administrator       |  be proof-read for $199/hr.
________Finger jlewis () inorganic5 fdt net for PGP public key_______



  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]