[<prev] [next>] [day] [month] [year] [list]
Message-ID: <016101c2769e$89204920$2901a8c0@sk4n>
From: guejez at scan-associates.net (guejez)
Subject: SCAN Associates Advisory: Molly 0.5 - Remote Command Execution
Molly 0.5 - Remote Command Execution
Discovered By guejez of scan-associates.net
About Molly:
------------------
[quote from Molly homepage]
"Molly is a small, simple IRC bot that I use for intra-office
communication. She
will handle lunch menus, stock quotes, take polls and stuff like that."
[/quote from Molly homepage]
Molly is avaliable at http://www.lysator.liu.se/~unicorn/hacks/molly/
Vulnerable (tested) Versions:
--------------------
Molly version 0.5 on SuSe 7.3
Vendor Contact:
----------------
07-22-02 - Emailed unicorn ^^at^^ lysator.liu.se Alerted him of this
vulnerability
07-23-02 - Recieved email confirming vulnerabilties and stating some issues
will
be fixed in newer versions and some will not be fixed.
Vulnerabilities:
----------------
-- Command Execution
1. Due to a call which sends unfiltered user input to be interpreted
by the shell it is possible to run any command at the permission level
of the script.
A more detailed explaination:
In plugins/nslookup.pl the script makes a call to the shell. Sending
user input in the $host variable:
@answer = `/usr/bin/nslookup $host`; # FIXME: Should be configurable.
The user input is not checked for any shell metacharacters or limited
to any set of characters, so users can execute commands by supplying
something like scan-associates.net;/bin/ls
I suggest fixing this by making sure $host is only the characters \w or
'.'
(this limits nslookup queries, you may want to come up with your own
filter).
Then use system('/usr/bin/nslookup', $host); instead of ``, so that the
$host variable is sent as an argument only, not directly to the shell.
The same advice should be used with:
@answer = `/home/hape/bin/winpopup.sh $to $from "$message"`;
in unusedplugins/pop.pl
`/home/hape/bin/sms.pl $words[2] $words[3] "$text"`;
in unusedplugins/sms.pl
and
open(SMB, "| smbclient '\\\\$server\\$printer' lkpcourse -P -U
lkpcourse -n
lkpcourse -W LKPIFS") || die("Couldn't open /tmp/hpled.tmp!");
in unusedplugins/hpled.pl. All of which are making calls to the shell
without
checking user input.
Proof Of Concept:
-----------------
No proof of concept will be givin for these issues.
Fix:
----
According to the author a fix for some of the issues will be in all
versions after
0.5. The author did make note that anything in the unusedplugins/
directory is not
maintained, may not work, and may introduce security issues into your
script. Use
with causion. The website for molly reflexs that there has been no fixes
for any
of these issues.
As a quick fix replace the following line in plugins/nslookup.pl:
@answer = `/usr/bin/nslookup $host`; # FIXME: Should be configurable.
With:
$host =~ s/[^\w\.]//g;
open(NSLOOKUP, "-|", "/usr/bin/nslookup '$host'");
@answer = <NSLOOKUP>;
I suggest not to use any plugins from within unusedplugins, but if you must
then
replace the following line in unusedplugins/pop.pl
@answer = `/home/hape/bin/winpopup.sh $to $from "$message"`;
With:
$to =~ s/[^\w\.]//g;
$from =~ s/[^\w\.\s]//g;
open(WINPOP, "-|", "/usr/bin/nslookup /home/hape/bin/winpopup.sh '$to'
'$from' '$message'");
@answer = <WINPOP>;
Replace the following line in unusedplugins/sms.pl
`/home/hape/bin/sms.pl $words[2] $words[3] "$text"`;
With:
$words[2] =~ s/[^\w\.\s]//g;
$words[3] =~ s/[^\w\.\s]//g;
$text =~ s/[^\w\.\s]//g;
system('/home/hape/bin/sms.pl', $words[2], $words[3], $text);
And replace the following line in unusedplugins/hpled.pl:
open(SMB, "| smbclient '\\\\$server\\$printer' lkpcourse -P -U lkpcourse -n
lkpcourse -W LKPIFS") || die("Couldn't open /tmp/hpled.tmp!");
With:
$server =~ s/[^\w\.]//g;
$printer =~ s/[^\w\.]//g;
open(SMB, "| smbclient '\\\\$server\\$printer' lkpcourse -P -U lkpcourse -n
lkpcourse -W LKPIFS") || die("Couldn't open /tmp/hpled.tmp!");
Thanks:
-------
irc.efnet.org #vuln - various people helping with perl security issues.
pokleyzz, sk , and all of scan-associates.net
--------------------------------------------------------------------------
http://www.scan-associates.net/
Powered by blists - more mailing lists