in reply to Re^2: Is it possible to modify __DATA__ via the DATA file handle or otherwise?
in thread Is it possible to modify __DATA__ via the DATA file handle or otherwise?

setuid allows a user to execute a script as the script's owner.

I believe it can be attacked as follows:

  1. Create a symbolic link to the setuid script.
  2. Execute the setuid script via that symbolic link.
  3. Immediately replace the symbolic link with a file.
  4. If you get the timing right, the setuid script will read and write the data from your file instead of from the script file. The script trusts the data since it expects to be the only one able to change it, but you actually have full access to the data.

As a variation of the above, the attack could also replace the volume on which the script resides by unmounting it and mounting a new one.

  • Comment on Re^3: Is it possible to modify __DATA__ via the DATA file handle or otherwise?

In Section Seekers of Perl Wisdom