Re: [cobalt-users] Re: suid perl - 2 month old hazard

[flash22@xxxxxxx]

On Thu, 15 Nov 2001, Render-Vue wrote:

> Hi Yah,
> 
> I've just checked my version of suidperl...
> 
> > ls -la /usr/bin/suidperl
> -rws--x--x   2 root     root       517916 Apr  6  1999 /usr/bin/suidperl
> 
> I also have neomail installed. Now can someone please clarify (pacify me
> really - window$ user) if this is an issue or not. I've read Jeff's post...
> 
> >>For this exploit to work, you need to have /usr/bin/suidperl setuid.  We
> do not ship suidperl setuid.  We do ship the binary, but purposely
> removed the suid bit on the program because it was not needed.  This
> exploit will not work unless you have changed permissions on the
> suidperl binary.<<
> 
> So is suidperl okay as is even though it looks like Neomail changed it?
> Do I have to disable Neomail and change permission of suidperl?
> 
> Can I carry on as a happy camper and keep the troops happy with their
> Neomail service.

No, you should ideally install the updated package. The 's' in the 'rws-'
on your suidperl is what's bad, it means it sets itself to the root user
when you run it, gaining privileges. The exploit takes advantage of that.

The new package fixes this.

I'm not willing to second guess Taco on this yet, but it *may* be
sufficient to chmod u-s /usr/bin/suidperl , however, there are other
privileged scripts in neomail itself, also, there is a small bug fix..

Left as is, your machine can be exploited by an internal user...
[I don't think there's any external vulnerabilities introduced here, i'd
fix it just the same]

gsh