perlbot 1.9.2 - Remote Command Execution
Discovered By guejez of scan-associates.net

 About perlbot:
 ------------------
 [quote from freshmeat]

 "Perlbot is an IRC bot written in Perl. It depends on Net::IRC and its
goals are
 simplicity, a small footprint, and modularity. It's meant as a more easily
configured
 but (for now) less robust alternative to bots like eggdrop. It's also
noticeably
 faster by the authors' tests. The base bot allows auto-opping, notes,
multiple
 channels, channel forwarding/bridging, etc., but much much more is possible
through
 the use of plugins. Many plugins are included, and it should be easy for
anyone with
 some knowledge of perl to write their own plugins"

 [/quote from freshmeat]

 perlbot is avaliable at http://perlbot.sourceforge.net


 Vulnerable (tested) Versions:
 --------------------
 Perlbot version 1.9.2 on SuSe 7.3


 Vendor Contact:
 ----------------
 07-22-02 - Emailed burke ^^at^^ bitflood.org and jmuhlich ^^at^^
bitflood.org
            Alerted them of this vulnerability
 07-22-02 - Recieved email confirming vulnerabilties and stating fixes will
be
            in new version.


 Vulnerabilities:
 ----------------
 -- Command Execution

 1. Due to poor input filtering and a call to the shell it is possible to
issue commands
    remotely through the irc interface of this bot.  Commands will be
executed with the
    uid at which the bot is ran.

    A more detailed explaination:

 The script tries to make a secure shell call to the aspell program by
 filtering user input. It does so in Plugins/Misc/SpelCheck/SpelCheck.pm
like
 this:

 $text =~ s/\`//g;
 $text =~ s/\$//g;
 $text =~ s/\|//g;

 Then the call to the shell is:

 my @spell = `echo "$text"| aspell -S -a 2>&1`;

 To issue a command one could "break out" of the quotes and then issue a
seperate
 command by using ;  Inorder to prevent this more restrictive input
filtering
 needs to be put inplace.  The author said they will change from using
aspell
 to using a google API for spell checking.  This provides better support for
 people who don't have aspell installed and more security.


 2. Due to poor input filtering and a bad open() call it is possible to
execute commands.

    A more detailed explaination:

 The script tries to prevent reverse directory transversal by filtering user
 input to disallow '..' in Plog.pl:

 $p =~ s/\.\.//g; # so people can't read arbitrary files

 $filename .= $p;

 Then in HTMLPlog.pm it uses this variable to open a file in an unsafe way:

 open FILE, $filename;

 This allows for command execution if $filename ends in a |.  Combin this
 with the ability to do directory transversal with .\./ and you can issue
 any command the script has permission to.


 -- Path Transveral

 1. Due to poor input filtering it is possible to read any file on the
server the
    script has permission to.

    A more detailed explaination:

 This is the same issue as above, but without appending the | to the
inputted
 filename.  This will allow an attacker to to read any file the script has
 permission to.  The file contents will be sent to the clients browser.


 Proof Of Concept:
 -----------------
 No proof of concept will be givin for these issues.

 Fix:
 ----
 According to the author a fix will be released with version 1.9.3, until
then my
 suggested patch for version 1.4.2 is to replace this line in
 plugins/SpelCheck/Plugin.pm:

 $args =~ tr/\w //c;

 With:

 $args =~ s/[^\w]//g;

 For version 1.9.2 my suggested fix is to replace these lines in
 Plugins/Misc/SpelCheck/SpelCheck.pm:

 #  $text =~ tr/\w//c;

  $text =~ s/\`//g;
  $text =~ s/\$//g;
  $text =~ s/\|//g;

 With:

 $text =~ s/[^\w]//g;

 As a temperary fix, for both versions, I suggest removing the
miscscripts/irclogs
 directory.  Since the orignal draft of this advisory there has been
multiple new
 versions of perlbot, download any above 1.9.2.


 Thanks:
 -------
 Samy Kamkar - bugtraq post on another perlbot got me thinking.  Good shell
trick with $IFS.
 irc.efnet.org #vuln - various people helping with perl security issues.
 pokleyzz, sk , and all of scan-associates.net


--------------------------------------------------------------------------
http://www.scan-associates.net/