lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <48808290.4040807@isecauditors.com>
Date: Fri, 18 Jul 2008 13:46:24 +0200
From: ISecAuditors Security Advisories <advisories@...cauditors.com>
To: bugtraq@...urityfocus.com
Subject: [ISecAuditors Security Advisories] SmbClientParser Perl module allows
 remote command execution

=============================================
INTERNET SECURITY AUDITORS ALERT 2006-006
- Original release date: February 28, 2006
- Last revised: July 18th, 2008
- Discovered by: Jesus Olmos Gonzalez
- Severity: 5/5
=============================================

I. VULNERABILITY
-------------------------
SmbClientParser perl module allows remote command execution.

II. BACKGROUND
-------------------------
SmbClientParser is a useful perl module to writing Netbios interactive 
codes, is a wraper from linux smbclient command and can be downloaded 
from:
http://search.cpan.org/~alian/Filesys-SmbClientParser-2.7/SmbClientParser.pm

or installed:
perl -MCPAN -e shell
install Filesys::SmbClientParser

III. DESCRIPTION
-------------------------
If a host scans your shared folder whith a tool that uses this module, 
you can execute shell commands in his host.

This module has the following snippet of code:

my @var = `$pargs`;

pargs it is parsed with the following poor filters:

  my $pargs;
   if ($args=~/^([^;]*)$/) { # no ';' nickel
     $pargs=$1;
   } elsif ($smbscript) { # ';' is allowed inside -c ' '
     if ($args=~/^([^;]* -c '[^']*'[^;]*)$/) {
       $pargs=$1;
     } else { # what that ?
       die("Why a ';' here ? => $args");
     }
   } else { die("Why a ';' here ? => $args"); }

If thereis a folder inside a shared folder with the following name:

' x && xterm &#

The perl will spawn an xterm :)
Note that this was reported at 2006 and no answer received, be 
carefoul with cpan modules.

IV. PROOF OF CONCEPT
-------------------------
This folder name inside the shared folder:

' x && xterm &#

Will execute the following:
/usr/bin/smbclient "//x.x.x.x/vulns" -U "user%pass"    -d0  -c 'cd "' 
x && xterm &#"'  -D "/poc"

This proof of concept spawns a xterm at vyctims xwindow, replace xterm 
for the evilcommands.

V. BUSINESS IMPACT
-------------------------
-

VI. SYSTEMS AFFECTED
-------------------------
Versions up to 2.7 included (all)

VII. SOLUTION
-------------------------
Use this patch:

138a139,146
 > 
#------------------------------------------------------------------------------
 > # Sanitize (jolmos[@]isecauditors[.]com)
 > 
#------------------------------------------------------------------------------
 > sub Sanitize {
 >       my $danger = $_[0];             #There are many danger bytes, 
but if the
 >       $$danger =~ s/\n|\r|'|"|//ig;   #danger string is inside "" 
or '' the only
 >                                       #option is break with ' or " 
or \r or \n
 > }
265a274
 >     foreach my $i (@_) { &Sanitize(\$i); }
287a297
 >   foreach my $i (@_) { &Sanitize(\$i); }
321a332
 >     foreach my $i (@_) { &Sanitize(\$i); }
331a343
 >   foreach my $i (@_) { &Sanitize(\$i); }
345a358
 >     foreach my $i (@_) { &Sanitize(\$i); }
359a373
 >     foreach my $i (@_) { &Sanitize(\$i); }
373a388
 >   foreach my $i (@_) { &Sanitize(\$i); }
375a391
 >
387a404
 >     foreach my $i (@_) { &Sanitize(\$i); }
398a416
 >        foreach my $i (@_) { &Sanitize(\$i); }
409a428
 >       foreach my $i (@_) { &Sanitize(\$i); }
487a507
 >     foreach my $i (@_) { &Sanitize(\$i); }

VIII. REFERENCES
-------------------------
http://search.cpan.org/~alian/Filesys-SmbClientParser-2.7/

IX. CREDITS
-------------------------
This vulnerability has been discovered and reported by Jesus Olmos 
Gonzalez (jolmos (at) isecauditors (dot) com).

X. REVISION HISTORY
-------------------------
April 26, 2006: Initial release.
July  14, 2008: Patch added.
July  18, 2008: Published.

XI. DISCLOSURE TIMELINE
-------------------------
February  26, 2006: The vulnerability discovered by
                     Internet Security Auditors.
April     26, 2006: Initial vendor notification sent.
September 14, 2006: Second notification: correction in one week.
                     No correction.
December   2, 2006: Third notification: no response.
January   18, 2007: Forth notification: no response.
May        1, 2007: Fifth notification: no response.
November  11, 2007: Sixth notification: no response.
July      14, 2008: Seventh notification: no response from the
                     developer (Alain Barbet), we wrote the patch.

XII. LEGAL NOTICES
-------------------------
The information contained within this advisory is supplied "as-is" 
with no warranties or guarantees of fitness of use or otherwise. 
Internet Security Auditors accepts no responsibility for any damage 
caused by the use or misuse of this information.

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ