suidperl Discloses File Existence to Local Users
|
|
SecurityTracker Alert ID: 1007583
|
|
CVE Reference: CAN-2003-0618
(Links to External Site)
|
Updated: Feb 3 2004
|
Original Entry Date: Aug 27 2003
|
Impact: Disclosure of system information
|
Exploit Included: Yes
|
Description: An information disclosure vulnerability was reported in suidperl (sperl). A local user can determine if files exist in directories for which the user does not have access permissions.
It is reported that the error messages returned by suidperl vary depending on whether the requested file exists or not.
For
files that do not exist, the following error message is reportedly displayed:
Can't open perl script "[filepath]": No such file
or directory
For files that exist but are not configured with setuser id (setuid) or setgroup id (setgid) privileges, the following
error message is reportedly displayed:
Script is not setuid/setgid in suidperl
According to the report, this flaw has been
reported to the vendor (on 23 Mar 2001).
|
Impact: A local user can determine if a specified file exists or not.
|
Solution: No solution was available at the time of this entry.
|
Cause: State error
|
Underlying OS: Linux (Any), UNIX (Any)
|
Reported By: psz@maths.usyd.edu.au (Paul Szabo)
|
Message History:
This archive entry has one or more follow-up message(s) listed below.
|
Source Message Contents
|
Date: Wed, 27 Aug 2003 12:15:56 +1000 (EST)
From: psz@maths.usyd.edu.au (Paul Szabo)
Subject: [Full-Disclosure] suidperl path disclosure
|
suidperl can be used for path disclosure (to verify if a file exists
when the user has no access to the directories above). The error
messages returned by suidperl are too revealing: in the examples below
I expected a uniform 'permission denied' or similar.
Set things up as one user (e.g. root):
# pwd
/root/ptest
# ls -al
total 8
drwx------ 2 root root 4096 Jul 30 09:36 .
drwx------ 13 root root 4096 Jul 30 09:35 ..
-rwx------ 1 root root 0 Jul 30 09:36 file
-rws------ 1 root root 0 Jul 30 09:36 sfile
As another (normal) user, use suidperl to disclose path info:
$ id
uid=1001(psz) gid=1001(amstaff) groups=1001(amstaff),109(tutsols)
$ for n in nosuch file sfile; do
> echo ''; echo Test $n; suidperl /root/ptest/$n
> done
Test nosuch
Can't open perl script "/root/ptest/nosuch": No such file or directory
Test file
Script is not setuid/setgid in suidperl
Test sfile
Permission denied.
I cannot immediately see how this could be used for a root compromise.
This problem was reported to perlbug@perl.com on 23 Mar 2001, see
http://rt.perl.org/rt2/Ticket/Display.html?id=6511
and to submit@bugs.debian.org on 30 Jul 2003, see
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=203426
but is apparently not being worked on. Mis-quoting from that latter
reference:
Bug has been reported a month (or two years) ago, but those uncaring,
lazy people have done nothing.
Cheers,
Paul Szabo - psz@maths.usyd.edu.au http://www.maths.usyd.edu.au:8000/u/psz/
School of Mathematics and Statistics University of Sydney 2006 Australia
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html
|
|
