perlbot 1.9.2 - Remote Command Execution Discovered By guejez of scan-associates.net About perlbot: ------------------ [quote from freshmeat] "Perlbot is an IRC bot written in Perl. It depends on Net::IRC and its goals are simplicity, a small footprint, and modularity. It's meant as a more easily configured but (for now) less robust alternative to bots like eggdrop. It's also noticeably faster by the authors' tests. The base bot allows auto-opping, notes, multiple channels, channel forwarding/bridging, etc., but much much more is possible through the use of plugins. Many plugins are included, and it should be easy for anyone with some knowledge of perl to write their own plugins" [/quote from freshmeat] perlbot is avaliable at http://perlbot.sourceforge.net Vulnerable (tested) Versions: -------------------- Perlbot version 1.9.2 on SuSe 7.3 Vendor Contact: ---------------- 07-22-02 - Emailed burke ^^at^^ bitflood.org and jmuhlich ^^at^^ bitflood.org Alerted them of this vulnerability 07-22-02 - Recieved email confirming vulnerabilties and stating fixes will be in new version. Vulnerabilities: ---------------- -- Command Execution 1. Due to poor input filtering and a call to the shell it is possible to issue commands remotely through the irc interface of this bot. Commands will be executed with the uid at which the bot is ran. A more detailed explaination: The script tries to make a secure shell call to the aspell program by filtering user input. It does so in Plugins/Misc/SpelCheck/SpelCheck.pm like this: $text =~ s/\`//g; $text =~ s/\$//g; $text =~ s/\|//g; Then the call to the shell is: my @spell = `echo "$text"| aspell -S -a 2>&1`; To issue a command one could "break out" of the quotes and then issue a seperate command by using ; Inorder to prevent this more restrictive input filtering needs to be put inplace. The author said they will change from using aspell to using a google API for spell checking. This provides better support for people who don't have aspell installed and more security. 2. Due to poor input filtering and a bad open() call it is possible to execute commands. A more detailed explaination: The script tries to prevent reverse directory transversal by filtering user input to disallow '..' in Plog.pl: $p =~ s/\.\.//g; # so people can't read arbitrary files $filename .= $p; Then in HTMLPlog.pm it uses this variable to open a file in an unsafe way: open FILE, $filename; This allows for command execution if $filename ends in a |. Combin this with the ability to do directory transversal with .\./ and you can issue any command the script has permission to. -- Path Transveral 1. Due to poor input filtering it is possible to read any file on the server the script has permission to. A more detailed explaination: This is the same issue as above, but without appending the | to the inputted filename. This will allow an attacker to to read any file the script has permission to. The file contents will be sent to the clients browser. Proof Of Concept: ----------------- No proof of concept will be givin for these issues. Fix: ---- According to the author a fix will be released with version 1.9.3, until then my suggested patch for version 1.4.2 is to replace this line in plugins/SpelCheck/Plugin.pm: $args =~ tr/\w //c; With: $args =~ s/[^\w]//g; For version 1.9.2 my suggested fix is to replace these lines in Plugins/Misc/SpelCheck/SpelCheck.pm: # $text =~ tr/\w//c; $text =~ s/\`//g; $text =~ s/\$//g; $text =~ s/\|//g; With: $text =~ s/[^\w]//g; As a temperary fix, for both versions, I suggest removing the miscscripts/irclogs directory. Since the orignal draft of this advisory there has been multiple new versions of perlbot, download any above 1.9.2. Thanks: ------- Samy Kamkar - bugtraq post on another perlbot got me thinking. Good shell trick with $IFS. irc.efnet.org #vuln - various people helping with perl security issues. pokleyzz, sk , and all of scan-associates.net -------------------------------------------------------------------------- http://www.scan-associates.net/
