-----BEGIN PGP SIGNED MESSAGE-----

===========================================================================
AA-97.13                        AUSCERT Advisory
		     suidperl buffer overrun vulnerability
				 23 April 1997

Last Revised:	19 May 1997
		Added information to remove confusion about whether
		the current version of perl was patched or not.

		Made find command a little less restrictive.

		Added specific vendor information.


		A complete revision history is at the end of this file.

- ---------------------------------------------------------------------------
AUSCERT has received information that a vulnerability exists in the
suidperl program.  This vulnerability affects perl versions 4.x and 5.x,
up to and including perl 5.003.

This vulnerability may allow local users to gain root privileges.

Exploit information regarding this vulnerability has been made publicly
available.

AUSCERT recommends that sites take the steps outlined in section 3
as soon as possible.
- ---------------------------------------------------------------------------

1.  Description

    On some systems, setuid and setgid scripts (scripts written in the C
    shell, Bourne shell, or Perl, for example, with the set user or group
    ID permissions enabled) are insecure due to a race condition in the
    kernel.  For those systems, Perl versions 4 and 5 attempt to work around
    this vulnerability with a special program named suidperl, also known
    as sperl.  Even on systems that do provide a secure mechanism for setuid
    and setgid scripts, suidperl may still be installed although it is
    not needed.

    suidperl attempts to emulate the set-user-ID and set-group-ID
    features of the kernel.  Depending on whether the script is
    set-user-ID, set-group-ID, or both, suidperl achieves this emulation
    by first changing its effective user or group ID to that of the
    original Perl script.  suidperl then reads and executes the script as
    that effective user or group.  To do these user and group ID changes
    correctly, suidperl must be installed as set-user-ID root.

    Due to insufficient bounds checking on arguments which are supplied
    by users, it is possible to overwrite the internal stack space of
    suidperl while it is executing.  By supplying a carefully designed
    argument to suidperl, intruders may be able to force suidperl to
    execute arbitrary commands.  As suidperl is setuid root, this may
    allow intruders to run arbitrary commands with root privileges.

    This vulnerability is known to affect suidperl versions 4.x and
    5.x up to and including 5.003.

    The suidperl program may be installed as part of the standard
    operating system or optionally as a third party product.

2.  Impact

    Local users may be able to gain root privileges on systems which
    have installed suidperl.

3.  Workarounds/Solution

    AUSCERT recommends that sites determine if their system is vulnerable,
    and if so, immediately prevent the exploitation of this vulnerability
    by removing the setuid permissions from suidperl (Section 3.1).

    If the suidperl functionality is essential to your site, it is
    recommended that the patch given in section 3.2 is applied.

    Specific vendor information regarding this vulnerability has been
    added in Appendix A.  If your vendor is not listed in this Appendix,
    please contact your vendor directly.

3.1 Determine if your system is vulnerable

    To determine if a system is vulnerable to this problem and to
    disable the programs that are believed to be vulnerable, use the
    following find command or a variant. Consult your local system
    documentation to determine how to tailor the find program on your
    system.

    You will need to run the find command on each system you maintain
    because the command examines files on the local disk only. Substitute
    the names of your local file systems for FILE_SYSTEM_NAMES in the
    example.  Typical local file system names are /, /usr, and /var.
    You must do this as root.

    Note that this is one long command, though we have separated
    it onto three lines using back-slashes.

         find FILE_SYSTEM_NAMES -xdev -type f -user root \
                \( -name 'sperl*' -o -name \
                'suidperl' \) -perm -04000 -print -ok chmod ug-s '{}' \;

    This command will find all files on a system that are
        - only in the file system you name (FILE_SYSTEM_NAMES -xdev)
        - regular files (-type f)
        - owned by root (-user root)
        - named appropriately (-name 'sperl*' -o -name 'suidperl')
        - setuid root (-perm -04000)

    Once found, those files will
        - have their names printed (-print)
        - have their modes changed, but only if you type `y'
          in response to the prompt (-ok chmod ug-s '{}' \;)

3.2 Install patched version

    If the suidperl functionality is essential to your system, the perl
    development coordinator Chip Salzenberg has released a patch for perl
    5.003.   This patch and installation instructions may be retrieved
    from:

	ftp://ftp.auscert.org.au/pub/auscert/tools/suidperl.patch

    Once patches have been applied to a clean version of perl 5.003, and
    installed, the output from the following command will be observed:

	% suidperl -v
	This is perl, version 5.003 with EMBED
        	Locally applied patches:
          	  SUIDBUF - Buffer overflow fixes for suidperl security

        	built under freebsd at Apr 24 1997 12:26:19
        	+ two suidperl security patches

	Copyright 1987-1996, Larry Wall

	Perl may be copied only under the terms of either the Artistic
	License or the GNU General Public License, which may be found in
	the Perl 5.0 source kit.

    Note that "+ two suidperl security patches" have now been installed.
    Previous, vulnerable, versions of suidperl may only show "+ suidperl
    security patch".

    AUSCERT understands that this vulnerability has been removed in the
    upcoming perl 5.004 release.

4.  Additional measures

    Most Unix systems ship with numerous programs which have setuid or
    setgid privileges.  Often the functionality supplied by these
    privileged programs is not required by many sites.  The large number
    of privileged programs that are shipped by default are to cater for
    all possible uses of the system.

    AUSCERT encourages sites to examine all the setuid/setgid programs
    and determine the necessity of each program.  If a program does not
    absolutely require the setuid/setgid privileges to operate (for
    example, it is only run by the root user),  the setuid/setgid
    privileges should be removed.  Furthermore, if a program is not
    required at your site, then all execute permissions should be removed.

    A sample command to find all setuid/setgid programs is (run as root):

       # find / \( -perm -4000 -o -perm -2000 \) -type f -exec ls -l {} \;

    It is AUSCERT's experience that many vulnerabilities are being discovered
    in setuid/setgid programs which are not necessary for the correct
    operation of most systems.  Sites can increase their security by
    removing unnecessary setuid/setgid programs.

    For example, the functionality provided by the suidperl program is
    not needed by many sites.  If sites had previously disabled this
    program, they would not have been susceptible to this latest
    vulnerability.

...........................................................................

Appendix A  Vendor information

Below is a list of the vendors who have provided information for this
advisory.  We will update this appendix as we receive additional
information.  If your vendor is not listed below, or you require further
vendor information, please contact the vendor directly.


RedHat Linux
============

There is a critical security hole in perl (specifically /usr/bin/sperl*)
which affects all versions of Red Hat Linux. A new version, perl-5.003-8,
is now available for Red Hat Linux 4.0 and 4.1 for all platforms. If you
are running an earlier version of Red Hat, we strongly encourage you to
upgrade to 4.1 as soon as possible, as many critical security fixes have
been made. The new version of perl is PGP signed with the Red Hat PGP key.
Thanks to Chip Salzenberg for putting together this patch.

You may upgrade to the new version as follows:

Red Hat 4.1
- -------------

i386:
rpm -Uvh ftp://ftp.redhat.com/updates/4.1/i386/perl-5.003-8.i386.rpm

alpha:
rpm -Uvh ftp://ftp.redhat.com/updates/4.1/alpha/perl-5.003-8.alpha.rpm

SPARC:
rpm -Uvh ftp://ftp.redhat.com/updates/4.1/sparc/perl-5.003-8.sparc.rpm

Red Hat 4.0
- -------------

i386:
rpm -Uvh ftp://ftp.redhat.com/updates/4.0/i386/perl-5.003-8.i386.rpm

alpha:
rpm -Uvh ftp://ftp.redhat.com/updates/4.0/alpha/perl-5.003-8.alpha.rpm

SPARC:
rpm -Uvh ftp://ftp.redhat.com/updates/4.0/sparc/perl-5.003-8.sparc.rpm

...........................................................................

- ---------------------------------------------------------------------------
AUSCERT acknowledges CERT/CC for much of the technical description used
in this advisory.  AUSCERT also thanks Chip Salzenberg for his quick
response to this vulnerability.
- ---------------------------------------------------------------------------

The AUSCERT team have made every effort to ensure that the information
contained in this document is accurate.  However, the decision to use the
information described is the responsibility of each user or organisation.
The appropriateness of this document for an organisation or individual
system should be considered before application in conjunction with local
policies and procedures.  AUSCERT takes no responsibility for the
consequences of applying the contents of this document.

If you believe that your system has been compromised, contact AUSCERT or
your representative in FIRST (Forum of Incident Response and Security
Teams).

AUSCERT is located at The University of Queensland within the Prentice
Centre.  AUSCERT is a full member of the Forum of Incident Response and
Security Teams (FIRST).

AUSCERT maintains an anonymous FTP service which is found on:
ftp://ftp.auscert.org.au/pub/.  This archive contains past SERT and AUSCERT
Advisories, and other computer security information.
AUSCERT also maintains a World Wide Web service which is found on:
http://www.auscert.org.au/.

Internet Email: auscert@auscert.org.au
Facsimile:	(07) 3365 4477
Telephone:	(07) 3365 4417 (International: +61 7 3365 4417)
		AUSCERT personnel answer during Queensland business hours
		which are GMT+10:00 (AEST).
		On call after hours for emergencies.

Postal:
Australian Computer Emergency Response Team
Prentice Centre
Brisbane
Qld.  4072.
AUSTRALIA


~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Revision History

19 May 1997	The command "perl -v" under perl 5.003 says a security
		patch is already installed which is misleading.  
		Updated advisory to remove this ambiguity.

		Altered the find command in Section 3.1 to be less
		restrictive.

		Added Appendix A to contain specific vendor information.
		Added information on RedHat Linux to this section.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

-----BEGIN PGP SIGNATURE-----
Version: 2.6.3i
Charset: noconv
Comment: ftp://ftp.auscert.org.au/pub/auscert/AUSCERT_PGP.key

iQCVAwUBM4CDYyh9+71yA2DNAQG2lwP8CGpV1kpS3yZ7jqWDLIx6nqZxfFsnhQgN
WQ9O8rp8PJUH126kg/bFZXAE9lbsL6mOsx4OYfXlm31+O/D6Iv0zv2C8F1+74NHp
8mC0XhsZ0+Ai8wJSGT/hjWQSKBxuWIG4bHewQwT5leHcQlTCdevouM8MS5FXD1jz
ZNdQZ7687R4=
=/IPe
-----END PGP SIGNATURE-----