Users login

Create an account »

JOIN XATRIX

Users login

Home » Security Advisories» FreeBSD » Security compromise from perl (suidperl) utility

Security compromise from perl (suidperl) utility

The authors of perl provide a "suidperl" program for proper processing of setuid perl scripts on systems where race conditions where setuid scripts could be exploited to gain unauthorized access. FreeBSD installs this suidperl program (and a link) as part of the standard installation. However, privilege processing done by this program does not take into account recent functionality extensions in the seteuid/setegid system calls.

  • Vendor: FreeBSD
  • Vendor ID: SA-96:12
  • Date: June 28, 1996


-----BEGIN PGP SIGNED MESSAGE-----

=====================================================================
FreeBSD-SA-96:12 Security Advisory
FreeBSD, Inc.

Topic: security compromise from perl (suidperl) utility

Category: core and ports
Module: perl
Announced: 1996-06-28
Affects: FreeBSD 2.0, 2.0.5, 2.1, 2.1-stable, and 2.2-current
Corrected: 2.1-stable and 2.2-current as of 1996-06-03
FreeBSD only: no

Patches: ftp://freebsd.org/pub/CERT/patches/SA-96:12/

=====================================================================

I. Background

FreeBSD ships perl version 4 as part of the base level system,
in addition, a port for perl version 5 is also provided with
a similar vulnerability. The vulnerability is specific to the
suidperl flavors of perl installed on the system.

This problem is present in all source code and binary
distributions of FreeBSD version 2.0.5 and later released
before 1996-05-21. This problem is not present in FreeBSD
2.0 and earlier versions of FreeBSD.

II. Problem Description

The authors of perl provide a "suidperl" program for proper

processing of setuid perl scripts on systems where race
conditions where setuid scripts could be exploited to gain
unauthorized access. FreeBSD installs this suidperl program
(and a link) as part of the standard installation. However,
privilege processing done by this program does not take into
account recent functionality extensions in the seteuid/setegid
system calls.


III. Impact

This vulnerability can only be exploited by users with a valid
account on the local system to easily obtain superuser access.

This vulnerability is present on all systems with the
_POSIX_SAVED_IDS functionality extension where suidperl
has been installed.


IV. Workaround

One may simply disable the setuid bit on all copies of the setuid
version of perl. This will close the vulnerability but render
inoperable setuid perl scripts. No software currently shipping
as part of FreeBSD relies on this functionality so the impact is
only to third party software.

As root, execute the commands:

# chmod 111 /usr/bin/suidperl
# chmod 111 /usr/bin/sperl4.036

In addition, if you have installed the perl5 port:
# chmod 111 /usr/local/bin/suidperl
# chmod 111 /usr/local/bin/sperl5.001

then verify that the setuid permissions of the files have been
removed. The permissions array should read "-r-xr-xr-x" as
shown here:

# ls -l /usr/bin/s*perl*
---x--x--x 2 root bin 307200 Jun 1 17:16 /usr/bin/sperl4.036
---x--x--x 2 root bin 307200 Jun 1 17:16 /usr/bin/suidperl

and for the perl5 port:

# ls -l /usr/local/bin/s*perl*
---x--x--x 2 root bin 397312 Jan 22 15:15 /usr/local/bin/sperl5.001
---x--x--x 2 root bin 397312 Jan 22 15:15 /usr/local/bin/suidperl


V. Solution

*NOTE* A patch for perl is available directly from Larry Wall
(the author of perl) which solves this vulnerability in a
different fashion than the FreeBSD patches. You may apply
either the FreeBSD patches, or Larry's patches, or both.
The patches solve the problem via two different mechanisms.

Patches are available which eliminate this vulnerability.
The following patch should be applied to the system sources and
suidperl should be rebuilt and reinstalled.

Apply the patch, then:
# cd /usr/src/gnu/usr.bin/perl/sperl
# make depend
# make all
# make install

A similar patch is also available for the perl5 port.
Apply the following patch by moving it into the patch
directory for the port distribution and rebuilding and
installing perl5:

# cd /usr/ports/lang/perl5
# cp /patch-a[ab] patches
# make all
# make install

NOTE: These patches do NOT solve the vulnerability for FreeBSD 2.0
or 2.0.5. These only solve the problem for 2.1 and later.
Patches specific to FreeBSD 2.0 and 2.0.5 are available at
the URL listed at the top of this file.


=====================================================================
FreeBSD, Inc.

Web Site: http://www.freebsd.org/
Confidential contacts: [email protected]
PGP Key: ftp://freebsd.org/pub/CERT/public_key.asc
Security notifications: [email protected]
Security public discussion: [email protected]

Notice: Any patches in this document may not apply cleanly due to
modifications caused by digital signature or mailer software.
Please reference the URL listed at the top of this document
for original copies of all patches if necessary.
=====================================================================

-----BEGIN PGP SIGNATURE-----
Version: 2.6.3ia
Charset: noconv

iQCVAwUBMdOTfFUuHi5z0oilAQEVkAP/cVHgqsW4GNpShs4RDQYvAphA31vTNiE8
vrfyjpA1GQET/KycQe0xdQWaQ7FF6FwG5ieahHFypqFN2Ze8VW10EuWN/EFhfjh5
vFnCqOW5r84DraP3ttkdR6WKyQXDwt61QBGiO7FYa03Kz29v3n9TO7W0LS+pAhB1
cZZwEwUN318=
=M6FK
-----END PGP SIGNATURE-----

Newsletter signup

Signup to our monthly newsletter and stay in touch with IT news!

Free E-books

We've got ebooks! But they're not online. :( Please give us a few days to bring downloads back.

Contact

Have something to say or just wanna drop us a line? Please keep this in mind: to spam, we reply with spam.

Contact us »