SuidPerl Mail Shell Escape Vulnerability

BID:1547

Info

SuidPerl Mail Shell Escape Vulnerability

Bugtraq ID: 1547
Class: Environment Error
CVE:
Remote: No
Local: Yes
Published: Aug 07 2000 12:00AM
Updated: Aug 07 2000 12:00AM
Credit: This vulnerability was discovered by Sebastian Krahmer <[email protected]> and Michal Zalewski <[email protected]>.
Vulnerable: Redhat perl-5.00503-10.i386.rpm
+ Redhat Linux 6.2
 Redhat perl-5.004m4-1.i386.rpm
+ Redhat Linux 5.2
Redhat mailx-8.1.1-5.i386.rpm
+ Redhat Linux 5.2
Redhat mailx-8.1.1-10.i386.rpm
+ Redhat Linux 6.2
 Larry Wall Perl 5.6
+ Mandriva Linux Mandrake 7.1
Larry Wall Perl 5.0 05_003
+ Debian Linux 2.2 sparc
 + Debian Linux 2.2 powerpc
 + Debian Linux 2.2 arm
 + Debian Linux 2.2 alpha
 + Debian Linux 2.2
+ Debian Linux 2.1 sparc
 + Debian Linux 2.1 alpha
 + Debian Linux 2.1 68k
 + Debian Linux 2.1
+ Mandriva Linux Mandrake 7.0
+ Mandriva Linux Mandrake 6.1
+ Mandriva Linux Mandrake 6.0
+ Redhat Linux 6.2 E sparc
 + Redhat Linux 6.2 E i386
 + Redhat Linux 6.2 E alpha
 + Redhat Linux 6.2 sparc
 + Redhat Linux 6.2 i386
 + Redhat Linux 6.2 alpha
 + Redhat Linux 6.1 sparc
 + Redhat Linux 6.1 i386
 + Redhat Linux 6.1 alpha
 + Redhat Linux 6.0 sparc
 + Redhat Linux 6.0 alpha
 + Redhat Linux 6.0
+ SCO eDesktop 2.4
+ SCO eServer 2.3
+ Trustix Trustix Secure Linux 1.1
+ Turbolinux Turbolinux 6.0.4
+ Turbolinux Turbolinux 6.0.3
+ Turbolinux Turbolinux 6.0.2
+ Turbolinux Turbolinux 6.0.1
+ Turbolinux Turbolinux 6.0
+ Turbolinux Turbolinux 4.4
+ Turbolinux Turbolinux 4.2
+ Turbolinux Turbolinux 4.0
Larry Wall Perl 5.0 05
Larry Wall Perl 5.0 04_05
+ Redhat Linux 5.2 sparc
 + Redhat Linux 5.2 i386
 + Redhat Linux 5.2 alpha
 + Redhat Linux 5.1
+ Redhat Linux 5.0
Not Vulnerable:

Discussion

SuidPerl Mail Shell Escape Vulnerability

The interaction between some security checks performed by suidperl, the setuid version of perl, and the /bin/mail program creates a scenario that allows local malicious users to execute commands with root privileges.

The suidperl program performs a number of checks to make sure it can't be fooled into executing a perl script with root privileges when its not suid root. When one of these checks fails the program will compose a message to the root user. The mail message looks like this:

From: Bastard Operator <[email protected]>
To: [email protected]

User 500 tried to run dev 769 ino 343180 in place of dev 769 ino 343183!
(Filename of set-id script was /some/thing, uid 500 gid 500.)

Sincerely,
perl

The name of the script to execute (inserted into the message) is taken from the program's argument list (argv[1]). suidperl executes /bin/mail to inject the message into the mail system. It does so without cleaning the environment or dropping its root privileges. The /bin/mail program has an undocumented feature. By setting the environment variable "interactive" to any value, /bin/mail will interpret the sequence "~!" as an escape sequence to start a shell and execute commands even when the program is not attached to a terminal. The environment variable "interactive" can be also set from ~/.mailrc with a "set interactive" line.

A malicous user can create a file with an escape sequence and commands embedded in the file name, then execute suidperl in such a way that the security check fails. suidperl will send a message to root via /bin/mail with the escape sequence embedded in the message. This will cause /bin/mail to start a root shell and execute the commands.

Exploit / POC

Solution / Fix

SuidPerl Mail Shell Escape Vulnerability

Solution:
If you do not make use of suidperl you can simply turn of the suid bit or remove the program altogether. Note: The patched version of /bin/mail provided by redhat restricts the environment variables that mail can inherit; unfortunately they can still be set in ~/.mailrc with a "set interactive" line.


Redhat mailx-8.1.1-10.i386.rpm

Redhat mailx-8.1.1-5.i386.rpm

Redhat perl-5.004m4-1.i386.rpm

Redhat perl-5.00503-10.i386.rpm

Larry Wall Perl 5.0 05_003

Larry Wall Perl 5.0 04_05

Larry Wall Perl 5.6
© CVE.report 2026 |

Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. It is the responsibility of user to evaluate the accuracy, completeness or usefulness of any information, opinion, advice or other content. EACH USER WILL BE SOLELY RESPONSIBLE FOR ANY consequences of his or her direct or indirect use of this web site. ALL WARRANTIES OF ANY KIND ARE EXPRESSLY DISCLAIMED. This site will NOT BE LIABLE FOR ANY DIRECT, INDIRECT or any other kind of loss.

CVE, CWE, and OVAL are registred trademarks of The MITRE Corporation and the authoritative source of CVE content is MITRE's CVE web site. This site includes MITRE data granted under the following license.

Free CVE JSON API cve.report/api

CVE.report and Source URL Uptime Status status.cve.report