| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <016301c2769e$89a6b730$2901a8c0@sk4n>
From: guejez at scan-associates.net (guejez)
Subject: SCAN Associates Advisory: madhater perlbot 1.0 beta - Remote Command Execution
perlbot 1.0 beta - Remote Command Execution
Discovered By guejez of scan-associates.net
About perlbot:
------------------
[quote from perlbot website]
""
[/quote from perlbot website]
perlbot is avaliable at http://stigmata.gothcafe.com/~madhater
Vulnerable (tested) Versions:
--------------------
Perlbot version 1.0 beta on SuSe 7.3
Vendor Contact:
----------------
07-22-02 - Emailed myneid ^^at^^ gothcafe.com Alerted him of this
vulnerability
07-22-02 - Recieved email confirming vulnerabilties and stating fixes could
be
in new version.
Vulnerabilities:
----------------
-- Command Execution
1. Due to no input filtering and a call to the shell the script could be
used to
execute any command it has permission to.
A more detailed explaination:
The script does not limit the characters sent to the shell from user input.
The problem is in this line:
foreach(`/bin/echo "$word" | /usr/local/bin/ispell -a`)
Which allows an attacker to "break out" of the quotes and issue any command
they wish by doing something like anything";cmd. Other abuses could be
issuing
commands with `cmd` and $(cmd) or \xxx where xxx is the octal value of any
character. Some form of user input filtering must be used.
2. Due to no input filtering and a bad open() call when the script attempts
to send
email it is possible to execute commands.
A more detailed explaination:
The script attempts to send an email to the user. It takes the user's
email
address and passes it to the shell as an argument to the mail program:
open (MAIL,"| $sendmail $recipient") || die $!;
This means things like hacker@...n-associates.net < /etc/passwd could be
used as
an email address to get any file from the system the script has permission
to
read. Or command execution is possible with hacker@...n-associates.net ;
cmd.
Inorder to prevent this simply take the $recipient value out of the shell
call.
Proof Of Concept:
-----------------
No proof of concept will be givin for these issues.
Fix:
----
According to the author a fix could be in a new verison of the script. The
script's
homepage was down at the time of this advisory, so here is the suggested
fix. Replace
the following line:
my $word=$';
With:
my $word=$';
$word =~ s/[^\w]//g;
And replace the following line:
open (MAIL,"| $sendmail $recipient") || die $!;
With:
open (MAIL,"| $sendmail -t") || die $!;
Thanks:
-------
irc.efnet.org #vuln - various people helping with perl security issues.
pokleyzz, sk , and all of scan-associates.net
--------------------------------------------------------------------------
http://www.scan-associates.net/
Powered by blists - more mailing lists