[ISecAuditors Security Advisories] SmbClientParser Perl module allows remote command execution

To: bugtraq@xxxxxxxxxxxxxxxxx
Subject: [ISecAuditors Security Advisories] SmbClientParser Perl module allows remote command execution
From: ISecAuditors Security Advisories <advisories@xxxxxxxxxxxxxxxx>
Date: Fri, 18 Jul 2008 13:46:24 +0200
List-help: <mailto:bugtraq-help@securityfocus.com>
List-id: <bugtraq.list-id.securityfocus.com>
List-post: <mailto:bugtraq@securityfocus.com>
List-subscribe: <mailto:bugtraq-subscribe@securityfocus.com>
List-unsubscribe: <mailto:bugtraq-unsubscribe@securityfocus.com>
Mailing-list: contact bugtraq-help@xxxxxxxxxxxxxxxxx; run by ezmlm
Organization: Internet Security Auditors, S.L.
User-agent: Thunderbird 2.0.0.14 (Windows/20080421)

=============================================
INTERNET SECURITY AUDITORS ALERT 2006-006
- Original release date: February 28, 2006
- Last revised: July 18th, 2008
- Discovered by: Jesus Olmos Gonzalez
- Severity: 5/5
=============================================

I. VULNERABILITY
-------------------------
SmbClientParser perl module allows remote command execution.

II. BACKGROUND
-------------------------

SmbClientParser is a useful perl module to writing Netbios interactivecodes, is a wraper from linux smbclient command and can be downloadedfrom:

http://search.cpan.org/~alian/Filesys-SmbClientParser-2.7/SmbClientParser.pm

or installed:
perl -MCPAN -e shell
install Filesys::SmbClientParser

III. DESCRIPTION
-------------------------

If a host scans your shared folder whith a tool that uses this module,you can execute shell commands in his host.


This module has the following snippet of code:

my @var = `$pargs`;

pargs it is parsed with the following poor filters:

 my $pargs;
  if ($args=~/^([^;]*)$/) { # no ';' nickel
    $pargs=$1;
  } elsif ($smbscript) { # ';' is allowed inside -c ' '
    if ($args=~/^([^;]* -c '[^']*'[^;]*)$/) {
      $pargs=$1;
    } else { # what that ?
      die("Why a ';' here ? => $args");
    }
  } else { die("Why a ';' here ? => $args"); }

If thereis a folder inside a shared folder with the following name:

' x && xterm &#

The perl will spawn an xterm :)

Note that this was reported at 2006 and no answer received, becarefoul with cpan modules.


IV. PROOF OF CONCEPT
-------------------------
This folder name inside the shared folder:

' x && xterm &#

Will execute the following:

/usr/bin/smbclient "//x.x.x.x/vulns" -U "user%pass" -d0 -c 'cd "'x && xterm &#"' -D "/poc"

This proof of concept spawns a xterm at vyctims xwindow, replace xtermfor the evilcommands.


V. BUSINESS IMPACT
-------------------------
-

VI. SYSTEMS AFFECTED
-------------------------
Versions up to 2.7 included (all)

VII. SOLUTION
-------------------------
Use this patch:

138a139,146

>#------------------------------------------------------------------------------

> # Sanitize (jolmos[@]isecauditors[.]com)

>#------------------------------------------------------------------------------

> sub Sanitize {

> my $danger = $_[0]; #There are many danger bytes,but if the> $$danger =~ s/\n|\r|'|"|//ig; #danger string is inside ""or '' the only> #option is break with ' or "or \r or \n

> }
265a274
>     foreach my $i (@_) { &Sanitize(\$i); }
287a297
>   foreach my $i (@_) { &Sanitize(\$i); }
321a332
>     foreach my $i (@_) { &Sanitize(\$i); }
331a343
>   foreach my $i (@_) { &Sanitize(\$i); }
345a358
>     foreach my $i (@_) { &Sanitize(\$i); }
359a373
>     foreach my $i (@_) { &Sanitize(\$i); }
373a388
>   foreach my $i (@_) { &Sanitize(\$i); }
375a391
>
387a404
>     foreach my $i (@_) { &Sanitize(\$i); }
398a416
>        foreach my $i (@_) { &Sanitize(\$i); }
409a428
>       foreach my $i (@_) { &Sanitize(\$i); }
487a507
>     foreach my $i (@_) { &Sanitize(\$i); }

VIII. REFERENCES
-------------------------
http://search.cpan.org/~alian/Filesys-SmbClientParser-2.7/

IX. CREDITS
-------------------------

This vulnerability has been discovered and reported by Jesus OlmosGonzalez (jolmos (at) isecauditors (dot) com).


X. REVISION HISTORY
-------------------------
April 26, 2006: Initial release.
July  14, 2008: Patch added.
July  18, 2008: Published.

XI. DISCLOSURE TIMELINE
-------------------------
February  26, 2006: The vulnerability discovered by
                    Internet Security Auditors.
April     26, 2006: Initial vendor notification sent.
September 14, 2006: Second notification: correction in one week.
                    No correction.
December   2, 2006: Third notification: no response.
January   18, 2007: Forth notification: no response.
May        1, 2007: Fifth notification: no response.
November  11, 2007: Sixth notification: no response.
July      14, 2008: Seventh notification: no response from the
                    developer (Alain Barbet), we wrote the patch.

XII. LEGAL NOTICES
-------------------------

The information contained within this advisory is supplied "as-is"with no warranties or guarantees of fitness of use or otherwise.Internet Security Auditors accepts no responsibility for any damagecaused by the use or misuse of this information.

Prev by Date: [ MDVSA-2008:148 ] - Updated Firefox packages fix vulnerabilities
Next by Date: Re: Vim: Insecure Temporary File Creation During Build: Arbitrary Code Execution
Previous by thread: [ MDVSA-2008:148 ] - Updated Firefox packages fix vulnerabilities
Next by thread: [DSECRG-08-030] Claroline 1.8.9 Multiple Security Vulnerabilities
Index(es):
- Date
- Thread