Molly 0.5 - Remote Command Execution
Discovered By guejez of scan-associates.net

 About Molly:
 ------------------
 [quote from Molly homepage]

 "Molly is a small, simple IRC bot that I use for intra-office
communication. She
 will handle lunch menus, stock quotes, take polls and stuff like that."

 [/quote from Molly homepage]

 Molly is avaliable at http://www.lysator.liu.se/~unicorn/hacks/molly/


 Vulnerable (tested) Versions:
 --------------------
 Molly version 0.5 on SuSe 7.3


 Vendor Contact:
 ----------------
 07-22-02 - Emailed unicorn ^^at^^ lysator.liu.se Alerted him of this
vulnerability
 07-23-02 - Recieved email confirming vulnerabilties and stating some issues
will
            be fixed in newer versions and some will not be fixed.


 Vulnerabilities:
 ----------------
 -- Command Execution

 1. Due to a call which sends unfiltered user input to be interpreted
    by the shell it is possible to run any command at the permission level
    of the script.

    A more detailed explaination:

    In plugins/nslookup.pl the script makes a call to the shell.  Sending
    user input in the $host variable:

    @answer = `/usr/bin/nslookup $host`; # FIXME: Should be configurable.

    The user input is not checked for any shell metacharacters or limited
    to any set of characters, so users can execute commands by supplying
    something like scan-associates.net;/bin/ls

    I suggest fixing this by making sure $host is only the characters \w or
'.'
    (this limits nslookup queries, you may want to come up with your own
filter).
    Then use system('/usr/bin/nslookup', $host); instead of ``, so that the
    $host variable is sent as an argument only, not directly to the shell.

    The same advice should be used with:

    @answer = `/home/hape/bin/winpopup.sh $to $from "$message"`;

    in unusedplugins/pop.pl

    `/home/hape/bin/sms.pl $words[2] $words[3] "$text"`;

    in unusedplugins/sms.pl

    and

    open(SMB, "| smbclient '\\\\$server\\$printer' lkpcourse -P -U
lkpcourse -n
    lkpcourse -W LKPIFS") || die("Couldn't open /tmp/hpled.tmp!");

    in unusedplugins/hpled.pl.  All of which are making calls to the shell
without
    checking user input.


 Proof Of Concept:
 -----------------
 No proof of concept will be givin for these issues.


 Fix:
 ----
 According to the author a fix for some of the issues will be in all
versions after
 0.5.  The author did make note that anything in the unusedplugins/
directory is not
 maintained, may not work, and may introduce security issues into your
script.  Use
 with causion.  The website for molly reflexs that there has been no fixes
for any
 of these issues.

 As a quick fix replace the following line in plugins/nslookup.pl:

 @answer = `/usr/bin/nslookup $host`; # FIXME: Should be configurable.

 With:

 $host =~ s/[^\w\.]//g;
 open(NSLOOKUP, "-|", "/usr/bin/nslookup '$host'");
 @answer = <NSLOOKUP>;

 I suggest not to use any plugins from within unusedplugins, but if you must
then
 replace the following line in unusedplugins/pop.pl

 @answer = `/home/hape/bin/winpopup.sh $to $from "$message"`;

 With:

 $to =~ s/[^\w\.]//g;
 $from =~ s/[^\w\.\s]//g;
 open(WINPOP, "-|", "/usr/bin/nslookup /home/hape/bin/winpopup.sh '$to'
'$from' '$message'");
 @answer = <WINPOP>;

 Replace the following line in unusedplugins/sms.pl

 `/home/hape/bin/sms.pl $words[2] $words[3] "$text"`;

 With:

 $words[2] =~ s/[^\w\.\s]//g;
 $words[3] =~ s/[^\w\.\s]//g;
 $text =~ s/[^\w\.\s]//g;
 system('/home/hape/bin/sms.pl', $words[2], $words[3], $text);

 And replace the following line in unusedplugins/hpled.pl:

 open(SMB, "| smbclient '\\\\$server\\$printer' lkpcourse -P -U lkpcourse -n
 lkpcourse -W LKPIFS") || die("Couldn't open /tmp/hpled.tmp!");

 With:

 $server =~ s/[^\w\.]//g;
 $printer =~ s/[^\w\.]//g;
 open(SMB, "| smbclient '\\\\$server\\$printer' lkpcourse -P -U lkpcourse -n
 lkpcourse -W LKPIFS") || die("Couldn't open /tmp/hpled.tmp!");


 Thanks:
 -------
 irc.efnet.org #vuln - various people helping with perl security issues.
 pokleyzz, sk , and all of scan-associates.net


--------------------------------------------------------------------------
http://www.scan-associates.net/