Subject: Caldera Security Advisory 96.02: Vulnerability in Perl's suidperl Caldera Security Advisory SA-96.02 June 30th, 1996 Topic: Vulnerability of Perl suidperl program I. Problem Description A vulnerability exists in systems such as CND 1.0 that contain the suidperl program. By exploiting this vulnerability, anyone with access to an account on such a system may gain root access. The problem exists in both Perl versions 4 and 5. There exist simple Perl scripts, although executed by an unprivileged user, that can give root access. The vulnerability takes advantage of the suidperl program and kernels such as Linux that support saved set-user-ID and saved set-group-ID. Saved set-user-IDs and set-group-IDs are sometimes referred to as POSIX saved IDs. suidperl is also known as sperl followed by a version number, as in sperl5.002. II. Impact On a system that has the suidperl or sperl program installed and that supports saved set-user-ID and saved set-group-ID (such as CND 1.0), anyone with access to an account on the system can gain root access. III. Solution / Workaround Perl version 4 should be removed from your system if present. This version of Perl is no longer supported. No updated version will be made available. You can check to see if Perl 4 is on your system by executing "rpm -q perl4". This command will either print the exact version of Perl 4 installed or the message "package perl4 is not installed". To remove Perl 4, execute "rpm -u perl4". The best solution to the problem is to install a corrected version of Perl 5. This is the recommended procedure and is described below. Alternatively, there are several workarounds for the vulnerability: Until you can install a patch, we recommend disabling suidperl: su - cd /usr/bin chmod ug-s suidperl sperl* Another alternative to installing a new version is to install Larry Wall's fixsperl script noted below. fixsperl is a script that replaces the suidperl and sperl programs with a wrapper that eliminates the vulnerability. The script is available from CPAN archives such as ftp://ftp.funet.fi/pub/languages/perl/CPAN/ as the file: File src/fixsperl-0 MD5 Checksum f13900d122a904a8453a0af4c1bdddc6 Note that this script should be run one time, naming every suidperl or sperl file on your system. If you add another version of suidperl or sperl to your system, then you must run fixsperl on those newly installed versions. However, the recommended option is to install the following version of Perl 5: ftp://ftp.caldera.com/pub/cnd-1.0/updates/perl-5.003-2.i386.rpm Note that this version, unlike the Red Hat version of the same name, is compatible with CND 1.0 (it's compiled with Linux 1.2.13 header files, libc 5.0.9 and created with RPM 1.x). If you are running a system that has been switched to Red Hat 3.0.3, install "perl-5.003-2.i386.rpm" from Red Hat or one of its mirror sites: ftp.redhat.com:/pub/redhat-3.0.3/i386/updates/RPMS ftp.caldera.com:/pub/mirrors/redhat/redhat-3.0.3/i386/updates/RPMS In either case, this RPM can be updated with the command: rpm -Uvh perl-5.003-2.i386.rpm You can insure your version of Perl has this fix by executing: perl -v It should print something similar to: This is perl, version 5.003 with EMBED built under linux at Jun 30 1996 16:48:57 + suidperl security patch IV. References ftp://info.cert.org/pub/cert_advisories/CA-96.12.README