J-Security Center

Title: SuidPerl Mail Shell Escape Vulnerability

Severity: MODERATE

Description:

The interaction between some security checks performed by suidperl, the setuid version of perl, and the /bin/mail program creates a scenario that allows local malicious users to execute commands with root privileges.

The suidperl program performs a number of checks to make sure it can't be fooled into executing a perl script with root privileges when its not suid root. When one of these checks fails the program will compose a message to the root user. The mail message looks like this:

From: Bastard Operator <root@nimue.tpi.pl>
To: root@nimue.tpi.pl

User 500 tried to run dev 769 ino 343180 in place of dev 769 ino 343183!
(Filename of set-id script was /some/thing, uid 500 gid 500.)

Sincerely,
perl

The name of the script to execute (inserted into the message) is taken from the program's argument list (argv[1]). suidperl executes /bin/mail to inject the message into the mail system. It does so without cleaning the environment or dropping its root privileges. The /bin/mail program has an undocumented feature. By setting the environment variable "interactive" to any value, /bin/mail will interpret the sequence "~!" as an escape sequence to start a shell and execute commands even when the program is not attached to a terminal. The environment variable "interactive" can be also set from ~/.mailrc with a "set interactive" line.

A malicous user can create a file with an escape sequence and commands embedded in the file name, then execute suidperl in such a way that the security check fails. suidperl will send a message to root via /bin/mail with the escape sequence embedded in the message. This will cause /bin/mail to start a root shell and execute the commands.

Affected Products:

  • Debian Linux 2.1.0
  • Debian Linux 2.1.0 68k
  • Debian Linux 2.1.0 alpha
  • Debian Linux 2.1.0 sparc
  • Debian Linux 2.2.0
  • Debian Linux 2.2.0 alpha
  • Debian Linux 2.2.0 arm
  • Debian Linux 2.2.0 powerpc
  • Debian Linux 2.2.0 sparc
  • Larry Wall Perl 5.0.0 04_05
  • Larry Wall Perl 5.0.0 05
  • Larry Wall Perl 5.0.0 05_003
  • Larry Wall Perl 5.6.0
  • MandrakeSoft Linux Mandrake 6.0.0
  • MandrakeSoft Linux Mandrake 6.1.0
  • MandrakeSoft Linux Mandrake 7.0.0
  • MandrakeSoft Linux Mandrake 7.1.0
  • RedHat Linux 5.0.0
  • RedHat Linux 5.1.0
  • RedHat Linux 5.2.0
  • RedHat Linux 5.2.0 alpha
  • RedHat Linux 5.2.0 i386
  • RedHat Linux 5.2.0 sparc
  • RedHat Linux 6.0.0
  • RedHat Linux 6.0.0 alpha
  • RedHat Linux 6.0.0 sparc
  • RedHat Linux 6.1.0 alpha
  • RedHat Linux 6.1.0 i386
  • RedHat Linux 6.1.0 sparc
  • RedHat Linux 6.2.0
  • RedHat Linux 6.2.0 E alpha
  • RedHat Linux 6.2.0 E i386
  • RedHat Linux 6.2.0 E sparc
  • RedHat Linux 6.2.0 alpha
  • RedHat Linux 6.2.0 i386
  • RedHat Linux 6.2.0 sparc
  • RedHat mailx-8.1.1-10.i386.rpm 0.0.0
  • RedHat mailx-8.1.1-5.i386.rpm 0.0.0
  • RedHat perl-5.004m4-1.i386.rpm 0.0.0
  • RedHat perl-5.00503-10.i386.rpm 0.0.0
  • SCO eDesktop 2.4.0
  • SCO eServer 2.3.0
  • Trustix Trustix Secure Linux 1.1.0
  • Turbolinux Turbolinux 4.0.0
  • Turbolinux Turbolinux 4.2.0
  • Turbolinux Turbolinux 4.4.0
  • Turbolinux Turbolinux 6.0.0
  • Turbolinux Turbolinux 6.0.1
  • Turbolinux Turbolinux 6.0.2
  • Turbolinux Turbolinux 6.0.3
  • Turbolinux Turbolinux 6.0.4

References:

Juniper Networks provides this content via a wide variety of sources and production methods. If notified of errors or omissions in the content of this page, Juniper Networks, at its discretion, will modify or remove the page or leave the content as is, depending on various factors including but not limited to the reputation and authority of the party providing the notification. Please use the contact information displayed elsewhere on this page to report any errors or omissions regarding the content on this page.