Search...

Mandrake Linux Security Advisory : perl (MDKSA-2000:031)

2012-09-06T00:00:00

ID MANDRAKE_MDKSA-2000-031.NASL
Type nessus
Reporter This script is Copyright (C) 2012-2021 Tenable Network Security, Inc.
Modified 2012-09-06T00:00:00

Description

There is a vulnerability that exists when using setuidperl together with the mailx program. In some cases, setuidperl will warn root that something has going on. The setuidperl program uses /bin/mail to send the message, as root, with the environment preserved. An undocumented feature of /bin/mail consists of it interpretting the ~! sequence even if it is not running on the terminal, and the message also contains the script name, taken from argv[1]. With all of this combined, it is possible to execute a command using ~! passed in the script name to create a suid shell. The instance of setuidperl sending such a message can only be reached if you try to fool perl into forcing the execution of one file instead of another. This vulnerability may not be limited to just the mailx program, which is why an upgrade for perl is provided as opposed to an upgrade for mailx.

                                        
                                            #%NASL_MIN_LEVEL 70300

#
# (C) Tenable Network Security, Inc.
#
# The descriptive text and package checks in this plugin were  
# extracted from Mandrake Linux Security Advisory MDKSA-2000:031. 
# The text itself is copyright (C) Mandriva S.A.
#

include('deprecated_nasl_level.inc');
include('compat.inc');

if (description)
{
  script_id(61827);
  script_version("1.6");
  script_set_attribute(attribute:"plugin_modification_date", value:"2021/01/06");

  script_xref(name:"MDKSA", value:"2000:031");

  script_name(english:"Mandrake Linux Security Advisory : perl (MDKSA-2000:031)");
  script_summary(english:"Checks rpm output for the updated packages");

  script_set_attribute(
    attribute:"synopsis", 
    value:
"The remote Mandrake Linux host is missing one or more security
updates."
  );
  script_set_attribute(
    attribute:"description", 
    value:
"There is a vulnerability that exists when using setuidperl together
with the mailx program. In some cases, setuidperl will warn root that
something has going on. The setuidperl program uses /bin/mail to send
the message, as root, with the environment preserved. An undocumented
feature of /bin/mail consists of it interpretting the ~! sequence even
if it is not running on the terminal, and the message also contains
the script name, taken from argv[1]. With all of this combined, it is
possible to execute a command using ~! passed in the script name to
create a suid shell. The instance of setuidperl sending such a message
can only be reached if you try to fool perl into forcing the execution
of one file instead of another. This vulnerability may not be limited
to just the mailx program, which is why an upgrade for perl is
provided as opposed to an upgrade for mailx."
  );
  script_set_attribute(
    attribute:"solution", 
    value:"Update the affected perl and / or perl-base packages."
  );
  script_set_attribute(attribute:"risk_factor", value:"High");

  script_set_attribute(attribute:"plugin_type", value:"local");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:perl");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:perl-base");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:mandrakesoft:mandrake_linux:6.0");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:mandrakesoft:mandrake_linux:6.1");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:mandrakesoft:mandrake_linux:7.0");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:mandrakesoft:mandrake_linux:7.1");

  script_set_attribute(attribute:"patch_publication_date", value:"2000/08/08");
  script_set_attribute(attribute:"plugin_publication_date", value:"2012/09/06");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_copyright(english:"This script is Copyright (C) 2012-2021 Tenable Network Security, Inc.");
  script_family(english:"Mandriva Local Security Checks");

  script_dependencies("ssh_get_info.nasl");
  script_require_keys("Host/local_checks_enabled", "Host/cpu", "Host/Mandrake/release", "Host/Mandrake/rpm-list");

  exit(0);
}


include("audit.inc");
include("global_settings.inc");
include("rpm.inc");


if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
if (!get_kb_item("Host/Mandrake/release")) audit(AUDIT_OS_NOT, "Mandriva / Mandake Linux");
if (!get_kb_item("Host/Mandrake/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING);

cpu = get_kb_item("Host/cpu");
if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
if (cpu !~ "^(amd64|i[3-6]86|x86_64)$") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Mandriva / Mandrake Linux", cpu);


flag = 0;
if (rpm_check(release:"MDK6.0", cpu:"i386", reference:"perl-5.00503-5mdk", yank:"mdk")) flag++;

if (rpm_check(release:"MDK6.1", cpu:"i386", reference:"perl-5.00503-5mdk", yank:"mdk")) flag++;

if (rpm_check(release:"MDK7.0", cpu:"i386", reference:"perl-5.00503-11mdk", yank:"mdk")) flag++;
if (rpm_check(release:"MDK7.0", cpu:"i386", reference:"perl-base-5.00503-11mdk", yank:"mdk")) flag++;

if (rpm_check(release:"MDK7.1", cpu:"i386", reference:"perl-5.600-5mdk", yank:"mdk")) flag++;
if (rpm_check(release:"MDK7.1", cpu:"i386", reference:"perl-base-5.600-5mdk", yank:"mdk")) flag++;


if (flag)
{
  if (report_verbosity &gt; 0) security_hole(port:0, extra:rpm_report_get());
  else security_hole(0);
  exit(0);
}
else audit(AUDIT_HOST_NOT, "affected");

JSON Vulners Source

Initial Source

{"id": "MANDRAKE_MDKSA-2000-031.NASL", "bulletinFamily": "scanner", "title": "Mandrake Linux Security Advisory : perl (MDKSA-2000:031)", "description": "There is a vulnerability that exists when using setuidperl together\nwith the mailx program. In some cases, setuidperl will warn root that\nsomething has going on. The setuidperl program uses /bin/mail to send\nthe message, as root, with the environment preserved. An undocumented\nfeature of /bin/mail consists of it interpretting the ~! sequence even\nif it is not running on the terminal, and the message also contains\nthe script name, taken from argv[1]. With all of this combined, it is\npossible to execute a command using ~! passed in the script name to\ncreate a suid shell. The instance of setuidperl sending such a message\ncan only be reached if you try to fool perl into forcing the execution\nof one file instead of another. This vulnerability may not be limited\nto just the mailx program, which is why an upgrade for perl is\nprovided as opposed to an upgrade for mailx.", "published": "2012-09-06T00:00:00", "modified": "2012-09-06T00:00:00", "cvss": {"score": 0.0, "vector": "NONE"}, "href": "https://www.tenable.com/plugins/nessus/61827", "reporter": "This script is Copyright (C) 2012-2021 Tenable Network Security, Inc.", "references": [], "cvelist": [], "type": "nessus", "lastseen": "2021-01-07T11:51:14", "edition": 22, "viewCount": 0, "enchantments": {"dependencies": {"references": [], "modified": "2021-01-07T11:51:14", "rev": 2}, "score": {"value": -0.5, "vector": "NONE", "modified": "2021-01-07T11:51:14", "rev": 2}, "vulnersScore": -0.5}, "sourceData": "#%NASL_MIN_LEVEL 70300\n\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from Mandrake Linux Security Advisory MDKSA-2000:031. \n# The text itself is copyright (C) Mandriva S.A.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(61827);\n script_version(\"1.6\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/06\");\n\n script_xref(name:\"MDKSA\", value:\"2000:031\");\n\n script_name(english:\"Mandrake Linux Security Advisory : perl (MDKSA-2000:031)\");\n script_summary(english:\"Checks rpm output for the updated packages\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\n\"The remote Mandrake Linux host is missing one or more security\nupdates.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"There is a vulnerability that exists when using setuidperl together\nwith the mailx program. In some cases, setuidperl will warn root that\nsomething has going on. The setuidperl program uses /bin/mail to send\nthe message, as root, with the environment preserved. An undocumented\nfeature of /bin/mail consists of it interpretting the ~! sequence even\nif it is not running on the terminal, and the message also contains\nthe script name, taken from argv[1]. With all of this combined, it is\npossible to execute a command using ~! passed in the script name to\ncreate a suid shell. The instance of setuidperl sending such a message\ncan only be reached if you try to fool perl into forcing the execution\nof one file instead of another. This vulnerability may not be limited\nto just the mailx program, which is why an upgrade for perl is\nprovided as opposed to an upgrade for mailx.\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\"Update the affected perl and / or perl-base packages.\"\n );\n script_set_attribute(attribute:\"risk_factor\", value:\"High\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:mandriva:linux:perl\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:mandriva:linux:perl-base\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:mandrakesoft:mandrake_linux:6.0\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:mandrakesoft:mandrake_linux:6.1\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:mandrakesoft:mandrake_linux:7.0\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:mandrakesoft:mandrake_linux:7.1\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2000/08/08\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2012/09/06\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2012-2021 Tenable Network Security, Inc.\");\n script_family(english:\"Mandriva Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/cpu\", \"Host/Mandrake/release\", \"Host/Mandrake/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nif (!get_kb_item(\"Host/Mandrake/release\")) audit(AUDIT_OS_NOT, \"Mandriva / Mandake Linux\");\nif (!get_kb_item(\"Host/Mandrake/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (cpu !~ \"^(amd64|i[3-6]86|x86_64)$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Mandriva / Mandrake Linux\", cpu);\n\n\nflag = 0;\nif (rpm_check(release:\"MDK6.0\", cpu:\"i386\", reference:\"perl-5.00503-5mdk\", yank:\"mdk\")) flag++;\n\nif (rpm_check(release:\"MDK6.1\", cpu:\"i386\", reference:\"perl-5.00503-5mdk\", yank:\"mdk\")) flag++;\n\nif (rpm_check(release:\"MDK7.0\", cpu:\"i386\", reference:\"perl-5.00503-11mdk\", yank:\"mdk\")) flag++;\nif (rpm_check(release:\"MDK7.0\", cpu:\"i386\", reference:\"perl-base-5.00503-11mdk\", yank:\"mdk\")) flag++;\n\nif (rpm_check(release:\"MDK7.1\", cpu:\"i386\", reference:\"perl-5.600-5mdk\", yank:\"mdk\")) flag++;\nif (rpm_check(release:\"MDK7.1\", cpu:\"i386\", reference:\"perl-base-5.600-5mdk\", yank:\"mdk\")) flag++;\n\n\nif (flag)\n{\n if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get());\n else security_hole(0);\n exit(0);\n}\nelse audit(AUDIT_HOST_NOT, \"affected\");\n", "naslFamily": "Mandriva Local Security Checks", "pluginID": "61827", "cpe": ["cpe:/o:mandrakesoft:mandrake_linux:7.0", "p-cpe:/a:mandriva:linux:perl-base", "cpe:/o:mandrakesoft:mandrake_linux:7.1", "cpe:/o:mandrakesoft:mandrake_linux:6.1", "p-cpe:/a:mandriva:linux:perl", "cpe:/o:mandrakesoft:mandrake_linux:6.0"], "scheme": null}