Molly 0.5 - Remote Command Execution Discovered By guejez of scan-associates.net About Molly: ------------------ [quote from Molly homepage] "Molly is a small, simple IRC bot that I use for intra-office communication. She will handle lunch menus, stock quotes, take polls and stuff like that." [/quote from Molly homepage] Molly is avaliable at http://www.lysator.liu.se/~unicorn/hacks/molly/ Vulnerable (tested) Versions: -------------------- Molly version 0.5 on SuSe 7.3 Vendor Contact: ---------------- 07-22-02 - Emailed unicorn ^^at^^ lysator.liu.se Alerted him of this vulnerability 07-23-02 - Recieved email confirming vulnerabilties and stating some issues will be fixed in newer versions and some will not be fixed. Vulnerabilities: ---------------- -- Command Execution 1. Due to a call which sends unfiltered user input to be interpreted by the shell it is possible to run any command at the permission level of the script. A more detailed explaination: In plugins/nslookup.pl the script makes a call to the shell. Sending user input in the $host variable: @answer = `/usr/bin/nslookup $host`; # FIXME: Should be configurable. The user input is not checked for any shell metacharacters or limited to any set of characters, so users can execute commands by supplying something like scan-associates.net;/bin/ls I suggest fixing this by making sure $host is only the characters \w or '.' (this limits nslookup queries, you may want to come up with your own filter). Then use system('/usr/bin/nslookup', $host); instead of ``, so that the $host variable is sent as an argument only, not directly to the shell. The same advice should be used with: @answer = `/home/hape/bin/winpopup.sh $to $from "$message"`; in unusedplugins/pop.pl `/home/hape/bin/sms.pl $words[2] $words[3] "$text"`; in unusedplugins/sms.pl and open(SMB, "| smbclient '\\\\$server\\$printer' lkpcourse -P -U lkpcourse -n lkpcourse -W LKPIFS") || die("Couldn't open /tmp/hpled.tmp!"); in unusedplugins/hpled.pl. All of which are making calls to the shell without checking user input. Proof Of Concept: ----------------- No proof of concept will be givin for these issues. Fix: ---- According to the author a fix for some of the issues will be in all versions after 0.5. The author did make note that anything in the unusedplugins/ directory is not maintained, may not work, and may introduce security issues into your script. Use with causion. The website for molly reflexs that there has been no fixes for any of these issues. As a quick fix replace the following line in plugins/nslookup.pl: @answer = `/usr/bin/nslookup $host`; # FIXME: Should be configurable. With: $host =~ s/[^\w\.]//g; open(NSLOOKUP, "-|", "/usr/bin/nslookup '$host'"); @answer = <NSLOOKUP>; I suggest not to use any plugins from within unusedplugins, but if you must then replace the following line in unusedplugins/pop.pl @answer = `/home/hape/bin/winpopup.sh $to $from "$message"`; With: $to =~ s/[^\w\.]//g; $from =~ s/[^\w\.\s]//g; open(WINPOP, "-|", "/usr/bin/nslookup /home/hape/bin/winpopup.sh '$to' '$from' '$message'"); @answer = <WINPOP>; Replace the following line in unusedplugins/sms.pl `/home/hape/bin/sms.pl $words[2] $words[3] "$text"`; With: $words[2] =~ s/[^\w\.\s]//g; $words[3] =~ s/[^\w\.\s]//g; $text =~ s/[^\w\.\s]//g; system('/home/hape/bin/sms.pl', $words[2], $words[3], $text); And replace the following line in unusedplugins/hpled.pl: open(SMB, "| smbclient '\\\\$server\\$printer' lkpcourse -P -U lkpcourse -n lkpcourse -W LKPIFS") || die("Couldn't open /tmp/hpled.tmp!"); With: $server =~ s/[^\w\.]//g; $printer =~ s/[^\w\.]//g; open(SMB, "| smbclient '\\\\$server\\$printer' lkpcourse -P -U lkpcourse -n lkpcourse -W LKPIFS") || die("Couldn't open /tmp/hpled.tmp!"); Thanks: ------- irc.efnet.org #vuln - various people helping with perl security issues. pokleyzz, sk , and all of scan-associates.net -------------------------------------------------------------------------- http://www.scan-associates.net/
This archive was generated by hypermail 2b30 : Fri Oct 18 2002 - 09:13:20 PDT