smbclientparser-exec.txt

2008-07-18T00:00:00
ID PACKETSTORM:68328
Type packetstorm
Reporter Jesus Olmos Gonzalez
Modified 2008-07-18T00:00:00

Description

                                        
                                            `=============================================  
INTERNET SECURITY AUDITORS ALERT 2006-006  
- Original release date: February 28, 2006  
- Last revised: July 18th, 2008  
- Discovered by: Jesus Olmos Gonzalez  
- Severity: 5/5  
=============================================  
  
I. VULNERABILITY  
-------------------------  
SmbClientParser perl module allows remote command execution.  
  
II. BACKGROUND  
-------------------------  
SmbClientParser is a useful perl module to writing Netbios interactive   
codes, is a wraper from linux smbclient command and can be downloaded   
from:  
http://search.cpan.org/~alian/Filesys-SmbClientParser-2.7/SmbClientParser.pm  
  
or installed:  
perl -MCPAN -e shell  
install Filesys::SmbClientParser  
  
III. DESCRIPTION  
-------------------------  
If a host scans your shared folder whith a tool that uses this module,   
you can execute shell commands in his host.  
  
This module has the following snippet of code:  
  
my @var = `$pargs`;  
  
pargs it is parsed with the following poor filters:  
  
my $pargs;  
if ($args=~/^([^;]*)$/) { # no ';' nickel  
$pargs=$1;  
} elsif ($smbscript) { # ';' is allowed inside -c ' '  
if ($args=~/^([^;]* -c '[^']*'[^;]*)$/) {  
$pargs=$1;  
} else { # what that ?  
die("Why a ';' here ? => $args");  
}  
} else { die("Why a ';' here ? => $args"); }  
  
If thereis a folder inside a shared folder with the following name:  
  
' x && xterm &#  
  
The perl will spawn an xterm :)  
Note that this was reported at 2006 and no answer received, be   
carefoul with cpan modules.  
  
IV. PROOF OF CONCEPT  
-------------------------  
This folder name inside the shared folder:  
  
' x && xterm &#  
  
Will execute the following:  
/usr/bin/smbclient "//x.x.x.x/vulns" -U "user%pass" -d0 -c 'cd "'   
x && xterm &#"' -D "/poc"  
  
This proof of concept spawns a xterm at vyctims xwindow, replace xterm   
for the evilcommands.  
  
V. BUSINESS IMPACT  
-------------------------  
-  
  
VI. SYSTEMS AFFECTED  
-------------------------  
Versions up to 2.7 included (all)  
  
VII. SOLUTION  
-------------------------  
Use this patch:  
  
138a139,146  
>   
#------------------------------------------------------------------------------  
> # Sanitize (jolmos[@]isecauditors[.]com)  
>   
#------------------------------------------------------------------------------  
> sub Sanitize {  
> my $danger = $_[0]; #There are many danger bytes,   
but if the  
> $$danger =~ s/\n|\r|'|"|//ig; #danger string is inside ""   
or '' the only  
> #option is break with ' or "   
or \r or \n  
> }  
265a274  
> foreach my $i (@_) { &Sanitize(\$i); }  
287a297  
> foreach my $i (@_) { &Sanitize(\$i); }  
321a332  
> foreach my $i (@_) { &Sanitize(\$i); }  
331a343  
> foreach my $i (@_) { &Sanitize(\$i); }  
345a358  
> foreach my $i (@_) { &Sanitize(\$i); }  
359a373  
> foreach my $i (@_) { &Sanitize(\$i); }  
373a388  
> foreach my $i (@_) { &Sanitize(\$i); }  
375a391  
>  
387a404  
> foreach my $i (@_) { &Sanitize(\$i); }  
398a416  
> foreach my $i (@_) { &Sanitize(\$i); }  
409a428  
> foreach my $i (@_) { &Sanitize(\$i); }  
487a507  
> foreach my $i (@_) { &Sanitize(\$i); }  
  
VIII. REFERENCES  
-------------------------  
http://search.cpan.org/~alian/Filesys-SmbClientParser-2.7/  
  
IX. CREDITS  
-------------------------  
This vulnerability has been discovered and reported by Jesus Olmos   
Gonzalez (jolmos (at) isecauditors (dot) com).  
  
X. REVISION HISTORY  
-------------------------  
April 26, 2006: Initial release.  
July 14, 2008: Patch added.  
July 18, 2008: Published.  
  
XI. DISCLOSURE TIMELINE  
-------------------------  
February 26, 2006: The vulnerability discovered by  
Internet Security Auditors.  
April 26, 2006: Initial vendor notification sent.  
September 14, 2006: Second notification: correction in one week.  
No correction.  
December 2, 2006: Third notification: no response.  
January 18, 2007: Forth notification: no response.  
May 1, 2007: Fifth notification: no response.  
November 11, 2007: Sixth notification: no response.  
July 14, 2008: Seventh notification: no response from the  
developer (Alain Barbet), we wrote the patch.  
  
XII. LEGAL NOTICES  
-------------------------  
The information contained within this advisory is supplied "as-is"   
with no warranties or guarantees of fitness of use or otherwise.   
Internet Security Auditors accepts no responsibility for any damage   
caused by the use or misuse of this information.  
`