[<prev] [next>] [day] [month] [year] [list]
Message-ID: <016201c2769e$89620d10$2901a8c0@sk4n>
From: guejez at scan-associates.net (guejez)
Subject: SCAN Associates Advisory: perlbot 1.9.2 - Remote Command Execution
perlbot 1.9.2 - Remote Command Execution
Discovered By guejez of scan-associates.net
About perlbot:
------------------
[quote from freshmeat]
"Perlbot is an IRC bot written in Perl. It depends on Net::IRC and its
goals are
simplicity, a small footprint, and modularity. It's meant as a more easily
configured
but (for now) less robust alternative to bots like eggdrop. It's also
noticeably
faster by the authors' tests. The base bot allows auto-opping, notes,
multiple
channels, channel forwarding/bridging, etc., but much much more is possible
through
the use of plugins. Many plugins are included, and it should be easy for
anyone with
some knowledge of perl to write their own plugins"
[/quote from freshmeat]
perlbot is avaliable at http://perlbot.sourceforge.net
Vulnerable (tested) Versions:
--------------------
Perlbot version 1.9.2 on SuSe 7.3
Vendor Contact:
----------------
07-22-02 - Emailed burke ^^at^^ bitflood.org and jmuhlich ^^at^^
bitflood.org
Alerted them of this vulnerability
07-22-02 - Recieved email confirming vulnerabilties and stating fixes will
be
in new version.
Vulnerabilities:
----------------
-- Command Execution
1. Due to poor input filtering and a call to the shell it is possible to
issue commands
remotely through the irc interface of this bot. Commands will be
executed with the
uid at which the bot is ran.
A more detailed explaination:
The script tries to make a secure shell call to the aspell program by
filtering user input. It does so in Plugins/Misc/SpelCheck/SpelCheck.pm
like
this:
$text =~ s/\`//g;
$text =~ s/\$//g;
$text =~ s/\|//g;
Then the call to the shell is:
my @spell = `echo "$text"| aspell -S -a 2>&1`;
To issue a command one could "break out" of the quotes and then issue a
seperate
command by using ; Inorder to prevent this more restrictive input
filtering
needs to be put inplace. The author said they will change from using
aspell
to using a google API for spell checking. This provides better support for
people who don't have aspell installed and more security.
2. Due to poor input filtering and a bad open() call it is possible to
execute commands.
A more detailed explaination:
The script tries to prevent reverse directory transversal by filtering user
input to disallow '..' in Plog.pl:
$p =~ s/\.\.//g; # so people can't read arbitrary files
$filename .= $p;
Then in HTMLPlog.pm it uses this variable to open a file in an unsafe way:
open FILE, $filename;
This allows for command execution if $filename ends in a |. Combin this
with the ability to do directory transversal with .\./ and you can issue
any command the script has permission to.
-- Path Transveral
1. Due to poor input filtering it is possible to read any file on the
server the
script has permission to.
A more detailed explaination:
This is the same issue as above, but without appending the | to the
inputted
filename. This will allow an attacker to to read any file the script has
permission to. The file contents will be sent to the clients browser.
Proof Of Concept:
-----------------
No proof of concept will be givin for these issues.
Fix:
----
According to the author a fix will be released with version 1.9.3, until
then my
suggested patch for version 1.4.2 is to replace this line in
plugins/SpelCheck/Plugin.pm:
$args =~ tr/\w //c;
With:
$args =~ s/[^\w]//g;
For version 1.9.2 my suggested fix is to replace these lines in
Plugins/Misc/SpelCheck/SpelCheck.pm:
# $text =~ tr/\w//c;
$text =~ s/\`//g;
$text =~ s/\$//g;
$text =~ s/\|//g;
With:
$text =~ s/[^\w]//g;
As a temperary fix, for both versions, I suggest removing the
miscscripts/irclogs
directory. Since the orignal draft of this advisory there has been
multiple new
versions of perlbot, download any above 1.9.2.
Thanks:
-------
Samy Kamkar - bugtraq post on another perlbot got me thinking. Good shell
trick with $IFS.
irc.efnet.org #vuln - various people helping with perl security issues.
pokleyzz, sk , and all of scan-associates.net
--------------------------------------------------------------------------
http://www.scan-associates.net/
Powered by blists - more mailing lists