• info
• discussion
• exploit
• solution
• references

SuidPerl Mail Shell Escape Vulnerability

Solution:
If you do not make use of suidperl you can simply turn of the suid bit or remove the program altogether. Note: The patched version of /bin/mail provided by redhat restricts the environment variables that mail can inherit; unfortunately they can still be set in ~/.mailrc with a "set interactive" line.


RedHat mailx-8.1.1-10.i386.rpm

• Red Hat Inc. 6.2 i386 mailx-8.1.1-16.i386.rpm
  ftp://updates.redhat.com/6.2/i386/mailx-8.1.1-16.i386.rpm

RedHat mailx-8.1.1-5.i386.rpm

• Red Hat Inc. 5.2 i386 mailx-8.1.1-16.i386.rpm
  ftp://updates.redhat.com/5.2/i386/mailx-8.1.1-16.i386.rpm

RedHat perl-5.004m4-1.i386.rpm

• Red Hat Inc. 5.2 i386 perl-5.004m7-2.i386.rpm
  ftp://updates.redhat.com/5.2/i386/perl-5.004m7-2.i386.rpm

RedHat perl-5.00503-10.i386.rpm

• Red Hat Inc. 6.2 i386 perl-5.00503-11.i386.rpm
  ftp://updates.redhat.com/6.2/i386/perl-5.00503-11.i386.rpm

Larry Wall Perl 5.0 05_003

• Caldera perl-5.005_03-6.i386
  eDesktop 2.4 i386
  ftp://ftp.calderasystems.com/pub/updates/eDesktop/2.4/current/RPMS/per l-5.005_03-6.i386.rpm


• Caldera perl-5.005_03-6S.i386
  eServer 2.3 i386
  ftp://ftp.calderasystems.com/pub/updates/eServer/2.3/current/RPMS/perl -5.005_03-6S.i386.rpm


• Caldera perl-add-5.005_03-6.i386
  eDesktop 2.4 i386
  ftp://ftp.calderasystems.com/pub/updates/eDesktop/2.4/current/RPMS/per l-add-5.005_03-6.i386.rpm


• Caldera perl-add-5.005_03-6S.i386
  eServer 2.3 i386
  ftp://ftp.calderasystems.com/pub/updates/eServer/2.3/current/RPMS/perl -add-5.005_03-6S.i386.rpm


• Caldera perl-examples-5.005_03-6.i386
  eDesktop 2.4 i386
  ftp://ftp.calderasystems.com/pub/updates/eDesktop/2.4/current/RPMS/per l-examples-5.005_03-6.i386.rpm


• Caldera perl-examples-5.005_03-6S.i386
  eServer 2.3 i386
  ftp://ftp.calderasystems.com/pub/updates/eServer/2.3/current/RPMS/perl -examples-5.005_03-6S.i386.rpm


• Caldera perl-man-5.005_03-6.i386
  eDesktop 2.4 i386
  ftp://ftp.calderasystems.com/pub/updates/eDesktop/2.4/current/RPMS/per l-man-5.005_03-6.i386.rpm


• Caldera perl-man-5.005_03-6S.i386
  eServer 2.3 i386
  ftp://ftp.calderasystems.com/pub/updates/eServer/2.3/current/RPMS/perl -man-5.005_03-6S.i386.rpm


• Caldera perl-pod-5.005_03-6.i386
  eDesktop 2.4 i386
  ftp://ftp.calderasystems.com/pub/updates/eDesktop/2.4/current/RPMS/per l-pod-5.005_03-6.i386.rpm


• Caldera perl-pod-5.005_03-6S.i386
  eServer 2.3 i386
  ftp://ftp.calderasystems.com/pub/updates/eServer/2.3/current/RPMS/perl -pod-5.005_03-6S.i386.rpm


• Kyle Sparger perl5.005_03-mail.patch
  This patch stops suidperl from emailing the root users when it finds that the user is trying to fool it into executing as root a program that is not suid root.
  http://www.securityfocus.com/data/vulnerabilities/patches/perl5.005_03 -mail.patch


• MandrakeSoft 6.0 i386 perl-5.00503-5mdk.i586.rpm
  MD5 Checksum: 1c42a4a20c7c042f78ae846cc9bfdc81
  ftp://ftp.linux.tucows.com/pub/distributions/Mandrake/Mandrake/updates /6.0/RPMS/perl-5.00503-5mdk.i586.rpm


• MandrakeSoft 6.1 i386 perl-5.00503-5mdk.i586.rpm
  MD5 checksum: cfdba31ce88d7a72f00ae2f27d4596db
  ftp://ftp.linux.tucows.com/pub/distributions/Mandrake/Mandrake/updates /6.1/RPMS/perl-5.00503-5mdk.i586.rpm


• MandrakeSoft 7.0 i386 perl-5.00503-11mdk.i586.rpm
  MD5 checksum: 054c9b11a79651d742a465f8ca15a0e8
  ftp://ftp.linux.tucows.com/pub/distributions/Mandrake/Mandrake/updates /7.0/RPMS/perl-5.00503-11mdk.i586.rpm


• MandrakeSoft 7.0 i386 perl-base-5.00503-11mdk.i586.rpm
  MD5 Checksum: 7b699435cc912993d21f4b35f780b366
  ftp://ftp.linux.tucows.com/pub/distributions/Mandrake/Mandrake/updates /7.0/RPMS/perl-base-5.00503-11mdk.i586.rpm


• S.u.S.E. 6.1 alpha perl
  ftp://ftp.suse.com/pub/suse/axp/update/6.1/a1/perl.rpm


• S.u.S.E. 6.1 perl
  ftp://ftp.suse.com/pub/suse/i386/update/6.1/a1/perl.rpm


• S.u.S.E. 6.2 perl
  ftp://ftp.suse.com/pub/suse/i386/update/6.2/a1/perl.rpm


• S.u.S.E. 6.3 alpha perl
  ftp://ftp.suse.com/pub/suse/axp/update/6.3/a1/perl.rpm


• S.u.S.E. 6.3 perl
  ftp://ftp.suse.com/pub/suse/i386/update/6.3/a1/perl.rpm


• S.u.S.E. 6.4 alpha perl
  ftp://ftp.suse.com/pub/suse/axp/update/6.4/a1/perl.rpm


• S.u.S.E. 6.4 perl
  ftp://ftp.suse.com/pub/suse/i386/update/6.4/a1/perl.rpm


• S.u.S.E. 6.4 powerpc perl
  ftp://ftp.suse.com/pub/suse/ppc/update/6.4/a1/perl.rpm


• S.u.S.E. 7.0 perl
  ftp://ftp.suse.com/pub/suse/i386/update/7.0/a1/perl.rpm


• Simon Corzens suidperl1.patch
  This patch stops suidperl from sending mail to the root user when it detects someone trying to fool it into executing as root a program that is not suid root.
  http://www.securityfocus.com/data/vulnerabilities/patches/suidperl1.pa tch


• TurboLinux 4.x: perl-5.00503-7.i386
  MD5 checksum: dd1d17422817d40be46d730f1ce8d41e
  ftp://ftp.turbolinux.com/pub/updates/4.0/security/perl-5.00503-7.i386. rpm


• TurboLinux 6.x: perl-5.005_02-8TL.i386
  MD5 checksum: 2951099587eabb3de107ee147619a34b
  ftp://ftp.turbolinux.com/pub/updates/6.0/security/perl-5.005_02-8TL.i3 86.rpm

Larry Wall Perl 5.0 04_05

• Simon Corzens suidperl1.patch
  This patch stops suidperl from sending mail to the root user when it detects someone trying to fool it into executing as root a program that is not suid root.
  http://www.securityfocus.com/data/vulnerabilities/patches/suidperl1.pa tch

Larry Wall Perl 5.6

• MandrakeSoft 7.1 i386 perl-5.600-5mdk.i586.rpm
  MD5 checksum: 39a43d7f8449a692e11fa384343dc939
  ftp://ftp.linux.tucows.com/pub/distributions/Mandrake/Mandrake/updates /7.1/RPMS/perl-5.600-5mdk.i586.rpm


• MandrakeSoft 7.1 i386 perl-base-5.600-5mdk.i586.rpm
  MD5 checksum: 025428ebc98430c138979f9cd3f1bdb8
  ftp://ftp.linux.tucows.com/pub/distributions/Mandrake/Mandrake/updates /7.1/RPMS/perl-base-5.600-5mdk.i586.rpm


• Simon Corzens suidperl1.patch
  This patch stops suidperl from sending mail to the root user when it detects someone trying to fool it into executing as root a program that is not suid root.
  http://www.securityfocus.com/data/vulnerabilities/patches/suidperl1.pa tch