[UNIX] Molly IRC Bot Command Execution

From: support@securiteam.com
Date: 10/19/02 

From: support@securiteam.com
To: list@securiteam.com
Date: 19 Oct 2002 04:04:42 +0200

The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion

When was the last time you checked your server's security?
How about a monthly report?
http://www.AutomatedScanning.com - Know that you're safe.
- - - - - - - - -

  Molly IRC Bot Command Execution
------------------------------------------------------------------------

SUMMARY

 <http://www.lysator.liu.se/~unicorn/hacks/molly/> Molly is a small,
simple IRC bot that I use for intra-office communication. She will handle
lunch menus, stock quotes, take polls and stuff like that. A vulnerability
in the product allows remote attackers to cause the program to execute
arbitrary code.

DETAILS

Vulnerable systems:
 * Molly version 0.5 and prior

Immune systems:
 * Molly version 0.6

1. Due to a call which sends unfiltered user input to be interpreted by
the shell it is possible to run any command at the permission level of the
script.

A more detailed explanation:
In plugins/nslookup.pl the script makes a call to the shell. Sending user
input in the $host variable:

    @answer = `/usr/bin/nslookup $host`; # FIXME: Should be configurable.

The user input is not checked for any shell meta-characters or limited to
any set of characters, so users can execute commands by supplying
something like scan-associates.net;/bin/ls

guejez suggest fixing this by making sure $host is only the characters \w
or '.' (This limits nslookup queries). Then use
system('/usr/bin/nslookup', $host); instead of ``, so that the $host
variable is sent as an argument only, not directly to the shell.

The same advice should be used with:

    @answer = `/home/hape/bin/winpopup.sh $to $from "$message"`;

In unusedplugins/pop.pl

    `/home/hape/bin/sms.pl $words[2] $words[3] "$text"`;

In unusedplugins/sms.pl and

    open(SMB, "| smbclient '\\\\$server\\$printer' lkpcourse -P -U
lkpcourse -n lkpcourse -W LKPIFS") || die("Couldn't open
/tmp/hpled.tmp!");

In unusedplugins/hpled.pl. All of which are making calls to the shell
without checking user input.

Fix:
According to the author a fix for some of the issues will be in all
versions after 0.5. The author did make note that anything in the
unusedplugins/directory is not maintained, may not work, and may introduce
security issues into your script. Use with caution.

As a quick fix replace the following line in plugins/nslookup.pl:

 @answer = `/usr/bin/nslookup $host`; # FIXME: Should be configurable.

With:

 $host =~ s/[^\w\.]//g;
 open(NSLOOKUP, "-|", "/usr/bin/nslookup '$host'");
 @answer = <NSLOOKUP>;

guejez suggests not to use any plugins from within unusedplugins, but if
you must then replace the following line in unusedplugins/pop.pl

 @answer = `/home/hape/bin/winpopup.sh $to $from "$message"`;

With:

 $to =~ s/[^\w\.]//g;
 $from =~ s/[^\w\.\s]//g;
 open(WINPOP, "-|", "/usr/bin/nslookup /home/hape/bin/winpopup.sh '$to'
'$from' '$message'");
 @answer = <WINPOP>;

Replace the following line in unusedplugins/sms.pl

 `/home/hape/bin/sms.pl $words[2] $words[3] "$text"`;

With:

 $words[2] =~ s/[^\w\.\s]//g;
 $words[3] =~ s/[^\w\.\s]//g;
 $text =~ s/[^\w\.\s]//g;
 system('/home/hape/bin/sms.pl', $words[2], $words[3], $text);

And replace the following line in unusedplugins/hpled.pl:

 open(SMB, "| smbclient '\\\\$server\\$printer' lkpcourse -P -U lkpcourse
-n lkpcourse -W LKPIFS") || die("Couldn't open /tmp/hpled.tmp!");

With:

 $server =~ s/[^\w\.]//g;
 $printer =~ s/[^\w\.]//g;
 open(SMB, "| smbclient '\\\\$server\\$printer' lkpcourse -P -U lkpcourse
-n lkpcourse -W LKPIFS") || die("Couldn't open /tmp/hpled.tmp!");

Vendor Contact:
07-22-02 - guejez emailed unicorn@lysator.liu.se and alerted him of this
vulnerability.
07-23-02 - guejez received an email confirming vulnerabilities and stating
some issues will be fixed in newer versions and some will not be fixed.

ADDITIONAL INFORMATION

The information has been provided by <mailto:guejez@scan-associates.net>
guejez.

========================================

This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com

====================
====================

DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.

Relevant Pages