lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list] 
Date: Sat, 11 Oct 2008 16:52:23 +0200
From: "Shlomi Fish" <shlomif@...il.com>
To: full-disclosure@...ts.grok.org.uk
Subject: [Security Bug] Perl's CPANPLUS.pm Creates
	World-writable Files

Hi all.

As reported here:

http://rt.cpan.org/Public/Bug/Display.html?id=39516

And discussed here:

http://www.nntp.perl.org/group/perl.qa/2008/09/msg11582.html

<<<
CPANPLUS will happily unpack and continue to build distributions that
contain world-writable files, including program files that are executed
by Perl. By writing to these world-writable programs, a malicious user
will be able to execute arbitrary code as the user running the CPANPLUS
process.

After smoking CPANPLUS as user "cpan", I got the following errors from
Mandriva's msec process:

{{{{{{{{
/home/cpan/.cpanplus/5.10.0/build/Data-Dump-Streamer-2.08-40/Makefile.PL
/home/cpan/.cpanplus/5.10.0/build/Digest-JHash-0.05/Makefile.PL
/home/cpan/.cpanplus/5.10.0/build/Getopt-ArgvFile-1.11/Makefile.PL
/home/cpan/.cpanplus/5.10.0/build/HTML-Scrubber-0.08/Makefile.PL
/home/cpan/.cpanplus/5.10.0/build/Kephra-0.3.10.11/Makefile.PL
/home/cpan/.cpanplus/5.10.0/build/Readonly-1.03/Makefile.PL
/home/cpan/.cpanplus/5.10.0/build/OOTools-2.21/Makefile.PL
}}}}}}}}

Each of these is a world-writable file, and each of these gets executed
after the unpacking stage. A malicious user can append something like
qq{system('rm -fr /');} there while the archive is unpacking, and so
I'll lose all the files on my system.

CPANPLUS should check for any world-writable files, and if they exist -
refuse to build the distribution.
>>>

Regards,

-- Shlomi Fish

------------------------------------------
Shlomi Fish http://www.shlomifish.org/

Electrical Engineering studies. In the Technion. Been there. Done
that. Forgot a lot. Remember too much.

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ