CVE-2000-0703

suidperl - Privilege Escalation

Title source: llm

Description

suidperl (aka sperl) does not properly cleanse the escape sequence "~!" before calling /bin/mail to send an error report, which allows local users to gain privileges by setting the "interactive" environmental variable and calling suidperl with a filename that contains the escape sequence.

Exploits (2)

exploitdb WORKING POC VERIFIED

by Michal Zalewski · bashlocallinux

https://www.exploit-db.com/exploits/20142

View Code ZIP pw:eip

exploitdb WORKING POC VERIFIED

by Sebastian Krahmer · perllocallinux

https://www.exploit-db.com/exploits/20141

View Code ZIP pw:eip

References (9)

[Exploit, Vendor Advisory] http://archives.neohapsis.com/archives/bugtraq/2000-08/0022.html

[Third Party Advisory] http://archives.neohapsis.com/archives/bugtraq/2000-08/0086.html

[Third Party Advisory] http://archives.neohapsis.com/archives/bugtraq/2000-08/0113.html

[Third Party Advisory] http://archives.neohapsis.com/archives/bugtraq/2000-08/0153.html

[Patch, Vendor Advisory] http://www.calderasystems.com/support/security/advisories/CSSA-2000-026.0.txt

[Vendor Advisory] http://www.redhat.com/support/errata/RHSA-2000-048.html

[Exploit, Patch, Vendor Advisory] http://www.securityfocus.com/bid/1547

[Various Sources] http://www.turbolinux.com/pipermail/tl-security-announce/2000-August/000017.html

[Vendor Advisory] http://www.novell.com/linux/security/advisories/suse_security_announce_59.html

Scores

EPSS 0.0025

EPSS Percentile 48.0%

Details

Status published

Products (4)

larry_wall/perl 5.4.5

larry_wall/perl 5.5

larry_wall/perl 5.5.3

larry_wall/perl 5.6

Published Oct 20, 2000

Tracked Since Feb 18, 2026