lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
From: guejez at scan-associates.net (guejez)
Subject: SCAN Associates Advisory: madhater perlbot 1.0 beta - Remote Command Execution

perlbot 1.0 beta - Remote Command Execution
Discovered By guejez of scan-associates.net

 About perlbot:
 ------------------
 [quote from perlbot website]

 ""

 [/quote from perlbot website]

 perlbot is avaliable at http://stigmata.gothcafe.com/~madhater


 Vulnerable (tested) Versions:
 --------------------
 Perlbot version 1.0 beta on SuSe 7.3


 Vendor Contact:
 ----------------
 07-22-02 - Emailed myneid ^^at^^ gothcafe.com Alerted him of this
vulnerability
 07-22-02 - Recieved email confirming vulnerabilties and stating fixes could
be
            in new version.


 Vulnerabilities:
 ----------------
 -- Command Execution

 1. Due to no input filtering and a call to the shell the script could be
used to
    execute any command it has permission to.

    A more detailed explaination:

 The script does not limit the characters sent to the shell from user input.
 The problem is in this line:

 foreach(`/bin/echo "$word" | /usr/local/bin/ispell -a`)

 Which allows an attacker to "break out" of the quotes and issue any command
 they wish by doing something like anything";cmd.  Other abuses could be
issuing
 commands with `cmd` and $(cmd) or \xxx where xxx is the octal value of any
 character.  Some form of user input filtering must be used.


 2. Due to no input filtering and a bad open() call when the script attempts
to send
    email it is possible to execute commands.

    A more detailed explaination:

 The script attempts to send an email to the user.  It takes the user's
email
 address and passes it to the shell as an argument to the mail program:

 open (MAIL,"| $sendmail $recipient") || die $!;

 This means things like hacker@...n-associates.net < /etc/passwd could be
used as
 an email address to get any file from the system the script has permission
to
 read.  Or command execution is possible with hacker@...n-associates.net ;
cmd.
 Inorder to prevent this simply take the $recipient value out of the shell
call.


 Proof Of Concept:
 -----------------
 No proof of concept will be givin for these issues.


 Fix:
 ----
 According to the author a fix could be in a new verison of the script.  The
script's
 homepage was down at the time of this advisory, so here is the suggested
fix.  Replace
 the following line:

 my $word=$';

 With:

 my $word=$';
 $word =~ s/[^\w]//g;

 And replace the following line:

 open (MAIL,"| $sendmail $recipient") || die $!;

 With:

 open (MAIL,"| $sendmail -t") || die $!;


 Thanks:
 -------
 irc.efnet.org #vuln - various people helping with perl security issues.
 pokleyzz, sk , and all of scan-associates.net


--------------------------------------------------------------------------
http://www.scan-associates.net/


Powered by blists - more mailing lists