Lucene search
K
Catalog
Vendors
Products
Timeline
Vulnerabilities
Sources
Documentation
Blog
Glossary
FAQ
Brand assets
Assessment
Agents dashboard
Agent Scanning
API Scanning
Assessment API
Alerts
Email notifications
Webhook notifications
Alerts API
SBOM package analysis
API Reference
Support
Settings
Sign in

smbclientparser-exec.txt

🗓️ 18 Jul 2008 00:00:00Reported by Jesus Olmos GonzalezType 
packetstorm
 packetstorm🔗 packetstormsecurity.com👁 21 Views

SmbClientParser perl module allows remote command execution. Vulnerability in versions up to 2.7

Code
`=============================================  
INTERNET SECURITY AUDITORS ALERT 2006-006  
- Original release date: February 28, 2006  
- Last revised: July 18th, 2008  
- Discovered by: Jesus Olmos Gonzalez  
- Severity: 5/5  
=============================================  
  
I. VULNERABILITY  
-------------------------  
SmbClientParser perl module allows remote command execution.  
  
II. BACKGROUND  
-------------------------  
SmbClientParser is a useful perl module to writing Netbios interactive   
codes, is a wraper from linux smbclient command and can be downloaded   
from:  
http://search.cpan.org/~alian/Filesys-SmbClientParser-2.7/SmbClientParser.pm  
  
or installed:  
perl -MCPAN -e shell  
install Filesys::SmbClientParser  
  
III. DESCRIPTION  
-------------------------  
If a host scans your shared folder whith a tool that uses this module,   
you can execute shell commands in his host.  
  
This module has the following snippet of code:  
  
my @var = `$pargs`;  
  
pargs it is parsed with the following poor filters:  
  
my $pargs;  
if ($args=~/^([^;]*)$/) { # no ';' nickel  
$pargs=$1;  
} elsif ($smbscript) { # ';' is allowed inside -c ' '  
if ($args=~/^([^;]* -c '[^']*'[^;]*)$/) {  
$pargs=$1;  
} else { # what that ?  
die("Why a ';' here ? => $args");  
}  
} else { die("Why a ';' here ? => $args"); }  
  
If thereis a folder inside a shared folder with the following name:  
  
' x && xterm &#  
  
The perl will spawn an xterm :)  
Note that this was reported at 2006 and no answer received, be   
carefoul with cpan modules.  
  
IV. PROOF OF CONCEPT  
-------------------------  
This folder name inside the shared folder:  
  
' x && xterm &#  
  
Will execute the following:  
/usr/bin/smbclient "//x.x.x.x/vulns" -U "user%pass" -d0 -c 'cd "'   
x && xterm &#"' -D "/poc"  
  
This proof of concept spawns a xterm at vyctims xwindow, replace xterm   
for the evilcommands.  
  
V. BUSINESS IMPACT  
-------------------------  
-  
  
VI. SYSTEMS AFFECTED  
-------------------------  
Versions up to 2.7 included (all)  
  
VII. SOLUTION  
-------------------------  
Use this patch:  
  
138a139,146  
>   
#------------------------------------------------------------------------------  
> # Sanitize (jolmos[@]isecauditors[.]com)  
>   
#------------------------------------------------------------------------------  
> sub Sanitize {  
> my $danger = $_[0]; #There are many danger bytes,   
but if the  
> $$danger =~ s/\n|\r|'|"|//ig; #danger string is inside ""   
or '' the only  
> #option is break with ' or "   
or \r or \n  
> }  
265a274  
> foreach my $i (@_) { &Sanitize(\$i); }  
287a297  
> foreach my $i (@_) { &Sanitize(\$i); }  
321a332  
> foreach my $i (@_) { &Sanitize(\$i); }  
331a343  
> foreach my $i (@_) { &Sanitize(\$i); }  
345a358  
> foreach my $i (@_) { &Sanitize(\$i); }  
359a373  
> foreach my $i (@_) { &Sanitize(\$i); }  
373a388  
> foreach my $i (@_) { &Sanitize(\$i); }  
375a391  
>  
387a404  
> foreach my $i (@_) { &Sanitize(\$i); }  
398a416  
> foreach my $i (@_) { &Sanitize(\$i); }  
409a428  
> foreach my $i (@_) { &Sanitize(\$i); }  
487a507  
> foreach my $i (@_) { &Sanitize(\$i); }  
  
VIII. REFERENCES  
-------------------------  
http://search.cpan.org/~alian/Filesys-SmbClientParser-2.7/  
  
IX. CREDITS  
-------------------------  
This vulnerability has been discovered and reported by Jesus Olmos   
Gonzalez (jolmos (at) isecauditors (dot) com).  
  
X. REVISION HISTORY  
-------------------------  
April 26, 2006: Initial release.  
July 14, 2008: Patch added.  
July 18, 2008: Published.  
  
XI. DISCLOSURE TIMELINE  
-------------------------  
February 26, 2006: The vulnerability discovered by  
Internet Security Auditors.  
April 26, 2006: Initial vendor notification sent.  
September 14, 2006: Second notification: correction in one week.  
No correction.  
December 2, 2006: Third notification: no response.  
January 18, 2007: Forth notification: no response.  
May 1, 2007: Fifth notification: no response.  
November 11, 2007: Sixth notification: no response.  
July 14, 2008: Seventh notification: no response from the  
developer (Alain Barbet), we wrote the patch.  
  
XII. LEGAL NOTICES  
-------------------------  
The information contained within this advisory is supplied "as-is"   
with no warranties or guarantees of fitness of use or otherwise.   
Internet Security Auditors accepts no responsibility for any damage   
caused by the use or misuse of this information.  
`

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

Book a live demo
18 Jul 2008 00:00Current
7.4High risk
Vulners AI Score7.4
remote command executionvulnerabilityperl modulesmbclientparserinternet security auditors.
21