Date: 19 May 1997
Click here for printable version
Click here for PGP verifiable version
-----BEGIN PGP SIGNED MESSAGE-----
===========================================================================
AA-97.13 AUSCERT Advisory
suidperl buffer overrun vulnerability
23 April 1997
Last Revised: 19 May 1997
Added information to remove confusion about whether
the current version of perl was patched or not.
Made find command a little less restrictive.
Added specific vendor information.
A complete revision history is at the end of this file.
- ---------------------------------------------------------------------------
AUSCERT has received information that a vulnerability exists in the
suidperl program. This vulnerability affects perl versions 4.x and 5.x,
up to and including perl 5.003.
This vulnerability may allow local users to gain root privileges.
Exploit information regarding this vulnerability has been made publicly
available.
AUSCERT recommends that sites take the steps outlined in section 3
as soon as possible.
- ---------------------------------------------------------------------------
1. Description
On some systems, setuid and setgid scripts (scripts written in the C
shell, Bourne shell, or Perl, for example, with the set user or group
ID permissions enabled) are insecure due to a race condition in the
kernel. For those systems, Perl versions 4 and 5 attempt to work around
this vulnerability with a special program named suidperl, also known
as sperl. Even on systems that do provide a secure mechanism for setuid
and setgid scripts, suidperl may still be installed although it is
not needed.
suidperl attempts to emulate the set-user-ID and set-group-ID
features of the kernel. Depending on whether the script is
set-user-ID, set-group-ID, or both, suidperl achieves this emulation
by first changing its effective user or group ID to that of the
original Perl script. suidperl then reads and executes the script as
that effective user or group. To do these user and group ID changes
correctly, suidperl must be installed as set-user-ID root.
Due to insufficient bounds checking on arguments which are supplied
by users, it is possible to overwrite the internal stack space of
suidperl while it is executing. By supplying a carefully designed
argument to suidperl, intruders may be able to force suidperl to
execute arbitrary commands. As suidperl is setuid root, this may
allow intruders to run arbitrary commands with root privileges.
This vulnerability is known to affect suidperl versions 4.x and
5.x up to and including 5.003.
The suidperl program may be installed as part of the standard
operating system or optionally as a third party product.
2. Impact
Local users may be able to gain root privileges on systems which
have installed suidperl.
3. Workarounds/Solution
AUSCERT recommends that sites determine if their system is vulnerable,
and if so, immediately prevent the exploitation of this vulnerability
by removing the setuid permissions from suidperl (Section 3.1).
If the suidperl functionality is essential to your site, it is
recommended that the patch given in section 3.2 is applied.
Specific vendor information regarding this vulnerability has been
added in Appendix A. If your vendor is not listed in this Appendix,
please contact your vendor directly.
3.1 Determine if your system is vulnerable
To determine if a system is vulnerable to this problem and to
disable the programs that are believed to be vulnerable, use the
following find command or a variant. Consult your local system
documentation to determine how to tailor the find program on your
system.
You will need to run the find command on each system you maintain
because the command examines files on the local disk only. Substitute
the names of your local file systems for FILE_SYSTEM_NAMES in the
example. Typical local file system names are /, /usr, and /var.
You must do this as root.
Note that this is one long command, though we have separated
it onto three lines using back-slashes.
find FILE_SYSTEM_NAMES -xdev -type f -user root
( -name 'sperl*' -o -name
'suidperl' ) -perm -04000 -print -ok chmod ug-s '{}' ;
This command will find all files on a system that are
- only in the file system you name (FILE_SYSTEM_NAMES -xdev)
- regular files (-type f)
- owned by root (-user root)
- named appropriately (-name 'sperl*' -o -name 'suidperl')
- setuid root (-perm -04000)
Once found, those files will
- have their names printed (-print)
- have their modes changed, but only if you type `y'
in response to the prompt (-ok chmod ug-s '{}' ;)
3.2 Install patched version
If the suidperl functionality is essential to your system, the perl
development coordinator Chip Salzenberg has released a patch for perl
5.003. This patch and installation instructions may be retrieved
from:
ftp://ftp.auscert.org.au/pub/auscert/tools/suidperl.patch
Once patches have been applied to a clean version of perl 5.003, and
installed, the output from the following command will be observed:
% suidperl -v
This is perl, version 5.003 with EMBED
Locally applied patches:
SUIDBUF - Buffer overflow fixes for suidperl security
built under freebsd at Apr 24 1997 12:26:19
+ two suidperl security patches
Copyright 1987-1996, Larry Wall
Perl may be copied only under the terms of either the Artistic
License or the GNU General Public License, which may be found in
the Perl 5.0 source kit.
Note that "+ two suidperl security patches" have now been installed.
Previous, vulnerable, versions of suidperl may only show "+ suidperl
security patch".
AUSCERT understands that this vulnerability has been removed in the
upcoming perl 5.004 release.
4. Additional measures
Most Unix systems ship with numerous programs which have setuid or
setgid privileges. Often the functionality supplied by these
privileged programs is not required by many sites. The large number
of privileged programs that are shipped by default are to cater for
all possible uses of the system.
AUSCERT encourages sites to examine all the setuid/setgid programs
and determine the necessity of each program. If a program does not
absolutely require the setuid/setgid privileges to operate (for
example, it is only run by the root user), the setuid/setgid
privileges should be removed. Furthermore, if a program is not
required at your site, then all execute permissions should be removed.
A sample command to find all setuid/setgid programs is (run as root):
# find / ( -perm -4000 -o -perm -2000 ) -type f -exec ls -l {} ;
It is AUSCERT's experience that many vulnerabilities are being discovered
in setuid/setgid programs which are not necessary for the correct
operation of most systems. Sites can increase their security by
removing unnecessary setuid/setgid programs.
For example, the functionality provided by the suidperl program is
not needed by many sites. If sites had previously disabled this
program, they would not have been susceptible to this latest
vulnerability.
...........................................................................
Appendix A Vendor information
Below is a list of the vendors who have provided information for this
advisory. We will update this appendix as we receive additional
information. If your vendor is not listed below, or you require further
vendor information, please contact the vendor directly.
RedHat Linux
============
There is a critical security hole in perl (specifically /usr/bin/sperl*)
which affects all versions of Red Hat Linux. A new version, perl-5.003-8,
is now available for Red Hat Linux 4.0 and 4.1 for all platforms. If you
are running an earlier version of Red Hat, we strongly encourage you to
upgrade to 4.1 as soon as possible, as many critical security fixes have
been made. The new version of perl is PGP signed with the Red Hat PGP key.
Thanks to Chip Salzenberg for putting together this patch.
You may upgrade to the new version as follows:
Red Hat 4.1
- -------------
i386:
rpm -Uvh ftp://ftp.redhat.com/updates/4.1/i386/perl-5.003-8.i386.rpm
alpha:
rpm -Uvh ftp://ftp.redhat.com/updates/4.1/alpha/perl-5.003-8.alpha.rpm
SPARC:
rpm -Uvh ftp://ftp.redhat.com/updates/4.1/sparc/perl-5.003-8.sparc.rpm
Red Hat 4.0
- -------------
i386:
rpm -Uvh ftp://ftp.redhat.com/updates/4.0/i386/perl-5.003-8.i386.rpm
alpha:
rpm -Uvh ftp://ftp.redhat.com/updates/4.0/alpha/perl-5.003-8.alpha.rpm
SPARC:
rpm -Uvh ftp://ftp.redhat.com/updates/4.0/sparc/perl-5.003-8.sparc.rpm
...........................................................................
- ---------------------------------------------------------------------------
AUSCERT acknowledges CERT/CC for much of the technical description used
in this advisory. AUSCERT also thanks Chip Salzenberg for his quick
response to this vulnerability.
- ---------------------------------------------------------------------------
The AUSCERT team have made every effort to ensure that the information
contained in this document is accurate. However, the decision to use the
information described is the responsibility of each user or organisation.
The appropriateness of this document for an organisation or individual
system should be considered before application in conjunction with local
policies and procedures. AUSCERT takes no responsibility for the
consequences of applying the contents of this document.
If you believe that your system has been compromised, contact AUSCERT or
your representative in FIRST (Forum of Incident Response and Security
Teams).
AUSCERT is located at The University of Queensland within the Prentice
Centre. AUSCERT is a full member of the Forum of Incident Response and
Security Teams (FIRST).
AUSCERT maintains an anonymous FTP service which is found on:
ftp://ftp.auscert.org.au/pub/. This archive contains past SERT and AUSCERT
Advisories, and other computer security information.
AUSCERT also maintains a World Wide Web service which is found on:
http://www.auscert.org.au/.
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 4477
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AUSCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for emergencies.
Postal:
Australian Computer Emergency Response Team
Prentice Centre
Brisbane
Qld. 4072.
AUSTRALIA
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Revision History
19 May 1997 The command "perl -v" under perl 5.003 says a security
patch is already installed which is misleading.
Updated advisory to remove this ambiguity.
Altered the find command in Section 3.1 to be less
restrictive.
Added Appendix A to contain specific vendor information.
Added information on RedHat Linux to this section.
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
-----BEGIN PGP SIGNATURE-----
Version: 2.6.3i
Charset: noconv
Comment: ftp://ftp.auscert.org.au/pub/auscert/AUSCERT_PGP.key
iQCVAwUBM4CDYyh9+71yA2DNAQG2lwP8CGpV1kpS3yZ7jqWDLIx6nqZxfFsnhQgN
WQ9O8rp8PJUH126kg/bFZXAE9lbsL6mOsx4OYfXlm31+O/D6Iv0zv2C8F1+74NHp
8mC0XhsZ0+Ai8wJSGT/hjWQSKBxuWIG4bHewQwT5leHcQlTCdevouM8MS5FXD1jz
ZNdQZ7687R4=
=/IPe
-----END PGP SIGNATURE-----
|