Lucene search

K
securityvulnsSecurityvulnsSECURITYVULNS:DOC:20194
HistoryJul 22, 2008 - 12:00 a.m.

[ISecAuditors Security Advisories] SmbClientParser Perl module allows remote command execution

2008-07-2200:00:00
vulners.com
17

=============================================
INTERNET SECURITY AUDITORS ALERT 2006-006

  • Original release date: February 28, 2006
  • Last revised: July 18th, 2008
  • Discovered by: Jesus Olmos Gonzalez
  • Severity: 5/5
    =============================================

I. VULNERABILITY

SmbClientParser perl module allows remote command execution.

II. BACKGROUND

SmbClientParser is a useful perl module to writing Netbios interactive
codes, is a wraper from linux smbclient command and can be downloaded
from:
http://search.cpan.org/~alian/Filesys-SmbClientParser-2.7/SmbClientParser.pm

or installed:
perl -MCPAN -e shell
install Filesys::SmbClientParser

III. DESCRIPTION

If a host scans your shared folder whith a tool that uses this module,
you can execute shell commands in his host.

This module has the following snippet of code:

my @var = `$pargs`;

pargs it is parsed with the following poor filters:

my $pargs;
if ($args=~/^([^;])$/) { # no ';' nickel
$pargs=$1;
} elsif ($smbscript) { # ';' is allowed inside -c ' '
if ($args=~/^([^;]
-c '[^']'[^;])$/) {
$pargs=$1;
} else { # what that ?
die("Why a ';' here ? => $args");
}
} else { die("Why a ';' here ? => $args"); }

If thereis a folder inside a shared folder with the following name:

' x && xterm &#

The perl will spawn an xterm :)
Note that this was reported at 2006 and no answer received, be
carefoul with cpan modules.

IV. PROOF OF CONCEPT

This folder name inside the shared folder:

' x && xterm &#

Will execute the following:
/usr/bin/smbclient "//x.x.x.x/vulns" -U "user%pass" -d0 -c 'cd "'
x && xterm &#"' -D "/poc"

This proof of concept spawns a xterm at vyctims xwindow, replace xterm
for the evilcommands.

V. BUSINESS IMPACT

VI. SYSTEMS AFFECTED

Versions up to 2.7 included (all)

VII. SOLUTION

Use this patch:

138a139,146
>
#------------------------------------------------------------------------------
> # Sanitize (jolmos[@]isecauditors[.]com)
>
#------------------------------------------------------------------------------
> sub Sanitize {
> my $danger = $[0]; #There are many danger bytes,
but if the
> $$danger =~ s/\n|\r|'|"|//ig; #danger string is inside ""
or '' the only
> #option is break with ' or "
or \r or \n
> }
265a274
> foreach my $i (@
) { &Sanitize(\$i); }
287a297
> foreach my $i (@) { &Sanitize(\$i); }
321a332
> foreach my $i (@
) { &Sanitize(\$i); }
331a343
> foreach my $i (@) { &Sanitize(\$i); }
345a358
> foreach my $i (@
) { &Sanitize(\$i); }
359a373
> foreach my $i (@) { &Sanitize(\$i); }
373a388
> foreach my $i (@
) { &Sanitize(\$i); }
375a391
>
387a404
> foreach my $i (@) { &Sanitize(\$i); }
398a416
> foreach my $i (@
) { &Sanitize(\$i); }
409a428
> foreach my $i (@) { &Sanitize(\$i); }
487a507
> foreach my $i (@
) { &Sanitize(\$i); }

VIII. REFERENCES

http://search.cpan.org/~alian/Filesys-SmbClientParser-2.7/

IX. CREDITS

This vulnerability has been discovered and reported by Jesus Olmos
Gonzalez (jolmos (at) isecauditors (dot) com).

X. REVISION HISTORY

April 26, 2006: Initial release.
July 14, 2008: Patch added.
July 18, 2008: Published.

XI. DISCLOSURE TIMELINE

February 26, 2006: The vulnerability discovered by
Internet Security Auditors.
April 26, 2006: Initial vendor notification sent.
September 14, 2006: Second notification: correction in one week.
No correction.
December 2, 2006: Third notification: no response.
January 18, 2007: Forth notification: no response.
May 1, 2007: Fifth notification: no response.
November 11, 2007: Sixth notification: no response.
July 14, 2008: Seventh notification: no response from the
developer (Alain Barbet), we wrote the patch.

XII. LEGAL NOTICES

The information contained within this advisory is supplied "as-is"
with no warranties or guarantees of fitness of use or otherwise.
Internet Security Auditors accepts no responsibility for any damage
caused by the use or misuse of this information.