lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
From: guejez at (guejez)
Subject: SCAN Associates Advisory: madhater perlbot 1.0 beta - Remote Command Execution

perlbot 1.0 beta - Remote Command Execution
Discovered By guejez of

 About perlbot:
 [quote from perlbot website]


 [/quote from perlbot website]

 perlbot is avaliable at

 Vulnerable (tested) Versions:
 Perlbot version 1.0 beta on SuSe 7.3

 Vendor Contact:
 07-22-02 - Emailed myneid ^^at^^ Alerted him of this
 07-22-02 - Recieved email confirming vulnerabilties and stating fixes could
            in new version.

 -- Command Execution

 1. Due to no input filtering and a call to the shell the script could be
used to
    execute any command it has permission to.

    A more detailed explaination:

 The script does not limit the characters sent to the shell from user input.
 The problem is in this line:

 foreach(`/bin/echo "$word" | /usr/local/bin/ispell -a`)

 Which allows an attacker to "break out" of the quotes and issue any command
 they wish by doing something like anything";cmd.  Other abuses could be
 commands with `cmd` and $(cmd) or \xxx where xxx is the octal value of any
 character.  Some form of user input filtering must be used.

 2. Due to no input filtering and a bad open() call when the script attempts
to send
    email it is possible to execute commands.

    A more detailed explaination:

 The script attempts to send an email to the user.  It takes the user's
 address and passes it to the shell as an argument to the mail program:

 open (MAIL,"| $sendmail $recipient") || die $!;

 This means things like < /etc/passwd could be
used as
 an email address to get any file from the system the script has permission
 read.  Or command execution is possible with ;
 Inorder to prevent this simply take the $recipient value out of the shell

 Proof Of Concept:
 No proof of concept will be givin for these issues.

 According to the author a fix could be in a new verison of the script.  The
 homepage was down at the time of this advisory, so here is the suggested
fix.  Replace
 the following line:

 my $word=$';


 my $word=$';
 $word =~ s/[^\w]//g;

 And replace the following line:

 open (MAIL,"| $sendmail $recipient") || die $!;


 open (MAIL,"| $sendmail -t") || die $!;

 ------- #vuln - various people helping with perl security issues.
 pokleyzz, sk , and all of


Powered by blists - more mailing lists