|
|
|
|
| |
| Perlbot is an IRC bot written in Perl. It depends on Net::IRC and its goals are simplicity, a small footprint, and modularity. It's meant as a more easily configured but (for now) less robust alternative to bots like eggdrop. It's also noticeably faster by the authors' tests. The base bot allows auto-opping, notes, multiple channels, channel forwarding/bridging, etc., but much more is possible through the use of plugins. Many plugins are included, and it should be easy for anyone with some knowledge of perl to write their own plugins. Two security vulnerabilities in the product allow remote attackers to cause it to execute arbitrary code and to disclose the content of arbitrary files. |
| |
Credit:
The information has been provided by guejez.
|
| |
Vulnerable systems:
* Perlbot version 1.9.2 and prior
Command Execution
1. Due to poor input filtering and a call to the shell it is possible to issue commands remotely through the IRC interface of the bot. Commands will be executed with the uid at which the bot is ran.
A more detailed explanation:
The script tries to make a secure shell call to the aspell program by filtering user input. It does so in Plugins/Misc/SpelCheck/SpelCheck.pm like this:
$text =~ s/\`//g;
$text =~ s/\$//g;
$text =~ s/\|//g;
Then the call to the shell is:
my @spell = `echo "$text"| aspell -S -a 2>&1`;
To issue a command one could "break out" of the quotes and then issue a separate command by using ';'. In order to prevent this more restrictive input filtering is needed. The author said they will change from using aspell to using Google's API for spell checking. This provides better support for people who don't have aspell installed and more security.
2. Due to poor input filtering and a bad open() call it is possible to execute commands.
A more detailed explanation:
The script tries to prevent reverse directory transversal by filtering user input to disallow '..' in Plog.pl:
$p =~ s/\.\.//g; # so people can't read arbitrary files
$filename .= $p;
Then in HTMLPlog.pm it uses this variable to open a file in an unsafe way:
open FILE, $filename;
This allows for command execution if $filename ends in a |. Combing this with the ability to do directory transversal with .\./ and you can issue any command the script has permission to.
Directory Transversal
1. Due to poor input filtering it is possible to read any file on the server the script has permission to.
A more detailed explanation:
This is the same issue as above, but without appending the | to the inputted filename. This will allow an attacker to read any file the script has permission to. The file contents will be sent to the client's browser.
Fix:
According to the author a fix will be released with version 1.9.3, until then guejez's suggested patch for version 1.4.2 is to replace this line in plugins/SpelCheck/Plugin.pm:
$args =~ tr/\w //c;
With:
$args =~ s/[^\w]//g;
For version 1.9.2 guejez's suggested fix is to replace these lines in Plugins/Misc/SpelCheck/SpelCheck.pm:
# $text =~ tr/\w//c;
$text =~ s/\`//g;
$text =~ s/\$//g;
$text =~ s/\|//g;
With:
$text =~ s/[^\w]//g;
As a temporary fix, for both versions, guejez suggests removing the miscscripts/irclogs directory.
Vendor Contact:
07-22-02 - guejez emailed burke@bitflood.org and jmuhlich@bitflood.org and alerted them of this vulnerability.
07-22-02 - guejez received email confirming vulnerabilities and stating fixes will be in new version.
|
|
|
|
|
