OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
From: guejez (guejez_at_scan-associates.net)
Date: Fri Oct 18 2002 - 06:42:14 CDT

  • Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

    perlbot 1.9.2 - Remote Command Execution
    Discovered By guejez of scan-associates.net

     About perlbot:
     ------------------
     [quote from freshmeat]

     "Perlbot is an IRC bot written in Perl. It depends on Net::IRC and its
    goals are
     simplicity, a small footprint, and modularity. It's meant as a more easily
    configured
     but (for now) less robust alternative to bots like eggdrop. It's also
    noticeably
     faster by the authors' tests. The base bot allows auto-opping, notes,
    multiple
     channels, channel forwarding/bridging, etc., but much much more is possible
    through
     the use of plugins. Many plugins are included, and it should be easy for
    anyone with
     some knowledge of perl to write their own plugins"

     [/quote from freshmeat]

     perlbot is avaliable at http://perlbot.sourceforge.net

     Vulnerable (tested) Versions:
     --------------------
     Perlbot version 1.9.2 on SuSe 7.3

     Vendor Contact:
     ----------------
     07-22-02 - Emailed burke ^^at^^ bitflood.org and jmuhlich ^^at^^
    bitflood.org
                Alerted them of this vulnerability
     07-22-02 - Recieved email confirming vulnerabilties and stating fixes will
    be
                in new version.

     Vulnerabilities:
     ----------------
     -- Command Execution

     1. Due to poor input filtering and a call to the shell it is possible to
    issue commands
        remotely through the irc interface of this bot. Commands will be
    executed with the
        uid at which the bot is ran.

        A more detailed explaination:

     The script tries to make a secure shell call to the aspell program by
     filtering user input. It does so in Plugins/Misc/SpelCheck/SpelCheck.pm
    like
     this:

     $text =~ s/\`//g;
     $text =~ s/\$//g;
     $text =~ s/\|//g;

     Then the call to the shell is:

     my spell = `echo "$text"| aspell -S -a 2>&1`;

     To issue a command one could "break out" of the quotes and then issue a
    seperate
     command by using ; Inorder to prevent this more restrictive input
    filtering
     needs to be put inplace. The author said they will change from using
    aspell
     to using a google API for spell checking. This provides better support for
     people who don't have aspell installed and more security.

     2. Due to poor input filtering and a bad open() call it is possible to
    execute commands.

        A more detailed explaination:

     The script tries to prevent reverse directory transversal by filtering user
     input to disallow '..' in Plog.pl:

     $p =~ s/\.\.//g; # so people can't read arbitrary files

     $filename .= $p;

     Then in HTMLPlog.pm it uses this variable to open a file in an unsafe way:

     open FILE, $filename;

     This allows for command execution if $filename ends in a |. Combin this
     with the ability to do directory transversal with .\./ and you can issue
     any command the script has permission to.

     -- Path Transveral

     1. Due to poor input filtering it is possible to read any file on the
    server the
        script has permission to.

        A more detailed explaination:

     This is the same issue as above, but without appending the | to the
    inputted
     filename. This will allow an attacker to to read any file the script has
     permission to. The file contents will be sent to the clients browser.

     Proof Of Concept:
     -----------------
     No proof of concept will be givin for these issues.

     Fix:
     ----
     According to the author a fix will be released with version 1.9.3, until
    then my
     suggested patch for version 1.4.2 is to replace this line in
     plugins/SpelCheck/Plugin.pm:

     $args =~ tr/\w //c;

     With:

     $args =~ s/[^\w]//g;

     For version 1.9.2 my suggested fix is to replace these lines in
     Plugins/Misc/SpelCheck/SpelCheck.pm:

     # $text =~ tr/\w//c;

      $text =~ s/\`//g;
      $text =~ s/\$//g;
      $text =~ s/\|//g;

     With:

     $text =~ s/[^\w]//g;

     As a temperary fix, for both versions, I suggest removing the
    miscscripts/irclogs
     directory. Since the orignal draft of this advisory there has been
    multiple new
     versions of perlbot, download any above 1.9.2.

     Thanks:
     -------
     Samy Kamkar - bugtraq post on another perlbot got me thinking. Good shell
    trick with $IFS.
     irc.efnet.org #vuln - various people helping with perl security issues.
     pokleyzz, sk , and all of scan-associates.net

    --------------------------------------------------------------------------
    http://www.scan-associates.net/