CVE-2000-0703
published 2000-10-20CVE-2000-0703: suidperl (aka sperl) does not properly cleanse the escape sequence "~!" before calling /bin/mail to send an error report, which allows local users to gain…
PriorityP423high7.2CVSS 2.0
AVLACLAuNCCICAC
EXPLOIT
EPSS
1.11%
61.9th percentile
suidperl (aka sperl) does not properly cleanse the escape sequence "~!" before calling /bin/mail to send an error report, which allows local users to gain privileges by setting the "interactive" environmental variable and calling suidperl with a filename that contains the escape sequence.
Affected
5 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| chrome_chrome | — | — | |
| larry_wall | perl | — | — |
| larry_wall | perl | — | — |
| larry_wall | perl | — | — |
| larry_wall | perl | — | — |
CVSS provenance
nvdv2.07.2HIGHAV:L/AC:L/Au:N/C:C/I:C/A:C
vendor_redhat7.2HIGH
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-fwmf-9cw3-w3x3: suidperl (aka sperl) does not properly cleanse the escape sequence "~!" before calling /bin/mail to send an error report, which allows local users to
ghsa_unreviewed·2022-04-30
CVE-2000-0703 [HIGH] GHSA-fwmf-9cw3-w3x3: suidperl (aka sperl) does not properly cleanse the escape sequence "~!" before calling /bin/mail to send an error report, which allows local users to
suidperl (aka sperl) does not properly cleanse the escape sequence "~!" before calling /bin/mail to send an error report, which allows local users to gain privileges by setting the "interactive" environmental variable and calling suidperl with a filename that contains the escape sequence.
Chrome
Stable Channel Update for Desktop: CVE-2023-0702
vendor_chrome·2023-02-07·CVSS 8.8
CVE-2023-0702 [MEDIUM] Stable Channel Update for Desktop: CVE-2023-0702
Stable Channel Update for Desktop
CVE-2023-0702: Type Confusion in Data Transfer. Reported by Sri on 2022-04-14 [$1000][ 1405574 ] Medium CVE-2023-0703: Type Confusion in DevTools
Reported by raven at KunLun lab on 2023-01-07 [$2000][ 1385982 ] Low CVE-2023-0704: Insufficient policy enforcement in DevTools
Severity: medium
Red Hat
security flaw
vendor_redhat·2000-08-07·CVSS 7.2
CVE-2000-0703 [HIGH] security flaw
security flaw
suidperl (aka sperl) does not properly cleanse the escape sequence "~!" before calling /bin/mail to send an error report, which allows local users to gain privileges by setting the "interactive" environmental variable and calling suidperl with a filename that contains the escape sequence.
Statement: This issue was fixed in the following products:
- Red Hat Linux 5.0 - RHSA-2000:048 (2000-08-07)
- Red Hat Linux 5.1 - RHSA-2000:048 (2000-08-07)
- Red Hat Linux 5.2 - RHSA-2000:048 (2000-08-07)
- Red Hat Linux 6.0 - RHSA-2000:048 (2000-08-07)
- Red Hat Linux 6.1 - RHSA-2000:048 (2000-08-07)
- Red Hat Linux 6.2 - RHSA-2000:048 (2000-08-07)
No detection rules found.
Exploit-DB
1C: Arcadia Internet Store 1.0 - Denial of Service
exploitdb·2001-06-21
CVE-2001-0703 1C: Arcadia Internet Store 1.0 - Denial of Service
1C: Arcadia Internet Store 1.0 - Denial of Service
---
// source: https://www.securityfocus.com/bid/2905/info
// 1C: Arcadia Internet Store is a online shopping utility for Microsoft Windows NT/2000 that is fully integratable with 1C: Enterprise, another popular Russian web-commerce utility.
// One of the components of this package, 'tradecli.dll', allows users to specify a template file, the contents of which will be output.
// Remote attackers can request dos devices, such as 'con', 'com1', 'com2', etc. When 'tradecli.dll' attempts to open these files a denial of service may occur.
/*
Proof of conecpt code by linux^sex
Exploit provided by NERF Security gr0up
Attempts to crash any server you specify
running Arcadia 1C: Arcadia Internet Store 1.0
on Windows NT/2000 fully integratable
Exploit-DB
SUIDPerl 5.00503 - Mail Shell Escape (1)
exploitdb·2000-08-07
CVE-2000-0703 SUIDPerl 5.00503 - Mail Shell Escape (1)
SUIDPerl 5.00503 - Mail Shell Escape (1)
---
source: https://www.securityfocus.com/bid/1547/info
The interaction between some security checks performed by suidperl, the setuid version of perl, and the /bin/mail program creates a scenario that allows local malicious users to execute commands with root privileges.
The suidperl program performs a number of checks to make sure it can't be fooled into executing a perl script with root privileges when its not suid root. When one of these checks fails the program will compose a message to the root user. The mail message looks like this:
From: Bastard Operator
To: [email protected]
User 500 tried to run dev 769 ino 343180 in place of dev 769 ino 343183!
(Filename of set-id script was /some/thing, uid 500 gid 500.)
Sincerely,
perl
The name
Exploit-DB
SUIDPerl 5.00503 - Mail Shell Escape (2)
exploitdb·2000-08-07
CVE-2000-0703 SUIDPerl 5.00503 - Mail Shell Escape (2)
SUIDPerl 5.00503 - Mail Shell Escape (2)
---
source: https://www.securityfocus.com/bid/1547/info
The interaction between some security checks performed by suidperl, the setuid version of perl, and the /bin/mail program creates a scenario that allows local malicious users to execute commands with root privileges.
The suidperl program performs a number of checks to make sure it can't be fooled into executing a perl script with root privileges when its not suid root. When one of these checks fails the program will compose a message to the root user. The mail message looks like this:
From: Bastard Operator
To: [email protected]
User 500 tried to run dev 769 ino 343180 in place of dev 769 ino 343183!
(Filename of set-id script was /some/thing, uid 500 gid 500.)
Sincerely,
perl
The name
CWE
Improper Neutralization of Escape, Meta, or Control Sequences
mitre_cwe
CWE-150 Improper Neutralization of Escape, Meta, or Control Sequences
CWE-150: Improper Neutralization of Escape, Meta, or Control Sequences
The product receives input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could be interpreted as escape, meta, or control character sequences when they are sent to a downstream component.
As data is parsed, an injected/absent/malformed delimiter may cause the process to take unexpected actions.
Modes of Introduction:
Phase: Implementation
Note: REALIZATION: This weakness is caused during implementation of an architectural security tactic.
Common Consequences:
Scope: Integrity. Impact: Unexpected State.
Detection Methods:
Automated Static Analysis: Automated static analysis, commonly referred to as Static Application Security Testing (SAST), can find some ins
CWE
Improper Neutralization of Special Elements
mitre_cwe
CWE-138 Improper Neutralization of Special Elements
CWE-138: Improper Neutralization of Special Elements
The product receives input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could be interpreted as control elements or syntactic markers when they are sent to a downstream component.
Most languages and protocols have their own special elements such as characters and reserved words. These special elements can carry control implications. If product does not prevent external control or influence over the inclusion of such special elements, the control flow of the program may be altered from what was intended. For example, both Unix and Windows interpret the symbol < ("less than") as meaning "read input from a file".
Modes of Introduction:
Phase: Implementation
Note: REALIZATION: Thi
http://archives.neohapsis.com/archives/bugtraq/2000-08/0022.htmlhttp://archives.neohapsis.com/archives/bugtraq/2000-08/0086.htmlhttp://archives.neohapsis.com/archives/bugtraq/2000-08/0113.htmlhttp://archives.neohapsis.com/archives/bugtraq/2000-08/0153.htmlhttp://www.calderasystems.com/support/security/advisories/CSSA-2000-026.0.txthttp://www.novell.com/linux/security/advisories/suse_security_announce_59.htmlhttp://www.redhat.com/support/errata/RHSA-2000-048.htmlhttp://www.securityfocus.com/bid/1547http://www.turbolinux.com/pipermail/tl-security-announce/2000-August/000017.htmlhttp://archives.neohapsis.com/archives/bugtraq/2000-08/0022.htmlhttp://archives.neohapsis.com/archives/bugtraq/2000-08/0086.htmlhttp://archives.neohapsis.com/archives/bugtraq/2000-08/0113.htmlhttp://archives.neohapsis.com/archives/bugtraq/2000-08/0153.htmlhttp://www.calderasystems.com/support/security/advisories/CSSA-2000-026.0.txthttp://www.novell.com/linux/security/advisories/suse_security_announce_59.htmlhttp://www.redhat.com/support/errata/RHSA-2000-048.htmlhttp://www.securityfocus.com/bid/1547http://www.turbolinux.com/pipermail/tl-security-announce/2000-August/000017.html
2000-10-20
Published