|
 |
| SecurityReason | ||
| WLB | ||
| Services | ||
| RSS | ||
| Corporate | ||
| Note | ||
If you have found a vulnerability, please send to our SecurityAlert Database : |
||
Home  SecurityAlert Database |
||||
SecurityAlert : 4027 CVE : CVE-2008-3285 CWE : CWE-94 SecurityRisk : Medium  (About) Remote Exploit : Yes Local Exploit : No Victim interaction required : Yes Exploit Available : No Credit : ISecAuditors Security Advisories (advisories isecauditors com) Published : 25.07.2008
Advisory Content : ============================================= INTERNET SECURITY AUDITORS ALERT 2006-006 - Original release date: February 28, 2006 - Last revised: July 18th, 2008 - Discovered by: Jesus Olmos Gonzalez - Severity: 5/5 ============================================= I. VULNERABILITY ------------------------- SmbClientParser perl module allows remote command execution. II. BACKGROUND ------------------------- SmbClientParser is a useful perl module to writing Netbios interactive codes, is a wraper from linux smbclient command and can be downloaded from: http://search.cpan.org/~alian/Filesys-SmbClientParser-2.7/SmbClientParse r.pm or installed: perl -MCPAN -e shell install Filesys::SmbClientParser III. DESCRIPTION ------------------------- If a host scans your shared folder whith a tool that uses this module, you can execute shell commands in his host. This module has the following snippet of code: my @var = `$pargs`; pargs it is parsed with the following poor filters: my $pargs; if ($args=~/^([^;]*)$/) { # no ';' nickel $pargs=$1; } elsif ($smbscript) { # ';' is allowed inside -c ' ' if ($args=~/^([^;]* -c '[^']*'[^;]*)$/) { $pargs=$1; } else { # what that ? die("Why a ';' here ? => $args"); } } else { die("Why a ';' here ? => $args"); } If thereis a folder inside a shared folder with the following name: ' x && xterm &# The perl will spawn an xterm :) Note that this was reported at 2006 and no answer received, be carefoul with cpan modules. IV. PROOF OF CONCEPT ------------------------- This folder name inside the shared folder: ' x && xterm &# Will execute the following: /usr/bin/smbclient "//x.x.x.x/vulns" -U "user%pass" -d0 -c 'cd "' x && xterm &#"' -D "/poc" This proof of concept spawns a xterm at vyctims xwindow, replace xterm for the evilcommands. V. BUSINESS IMPACT ------------------------- - VI. SYSTEMS AFFECTED ------------------------- Versions up to 2.7 included (all) VII. SOLUTION ------------------------- Use this patch: 138a139,146 > #----------------------------------------------------------------------- ------- > # Sanitize (jolmos[@]isecauditors[.]com) > #----------------------------------------------------------------------- ------- > sub Sanitize { > my $danger = $_[0]; #There are many danger bytes, but if the > $$danger =~ s/\n|\r|'|"|//ig; #danger string is inside "" or '' the only > #option is break with ' or " or \r or \n > } 265a274 > foreach my $i (@_) { &Sanitize(\$i); } 287a297 > foreach my $i (@_) { &Sanitize(\$i); } 321a332 > foreach my $i (@_) { &Sanitize(\$i); } 331a343 > foreach my $i (@_) { &Sanitize(\$i); } 345a358 > foreach my $i (@_) { &Sanitize(\$i); } 359a373 > foreach my $i (@_) { &Sanitize(\$i); } 373a388 > foreach my $i (@_) { &Sanitize(\$i); } 375a391 > 387a404 > foreach my $i (@_) { &Sanitize(\$i); } 398a416 > foreach my $i (@_) { &Sanitize(\$i); } 409a428 > foreach my $i (@_) { &Sanitize(\$i); } 487a507 > foreach my $i (@_) { &Sanitize(\$i); } VIII. REFERENCES ------------------------- http://search.cpan.org/~alian/Filesys-SmbClientParser-2.7/ IX. CREDITS ------------------------- This vulnerability has been discovered and reported by Jesus Olmos Gonzalez (jolmos (at) isecauditors (dot) com). X. REVISION HISTORY ------------------------- April 26, 2006: Initial release. July 14, 2008: Patch added. July 18, 2008: Published. XI. DISCLOSURE TIMELINE ------------------------- February 26, 2006: The vulnerability discovered by Internet Security Auditors. April 26, 2006: Initial vendor notification sent. September 14, 2006: Second notification: correction in one week. No correction. December 2, 2006: Third notification: no response. January 18, 2007: Forth notification: no response. May 1, 2007: Fifth notification: no response. November 11, 2007: Sixth notification: no response. July 14, 2008: Seventh notification: no response from the developer (Alain Barbet), we wrote the patch. XII. LEGAL NOTICES ------------------------- The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise. Internet Security Auditors accepts no responsibility for any damage caused by the use or misuse of this information. References : http://xforce.iss.net/xforce/xfdb/43910
http://www.securityfocus.com/bid/30290
http://www.securityfocus.com/archive/1/archive/1/494536/100/0/threaded
http://secunia.com/advisories/31175  Feedback : If you have additional information or notice any errors regarding this security advisory, please use contact form or email us at info()securityreason()com. |
||||
| Alert | ||
Allow attacker to denial of service apache 2.2.17 server |
||
| Apache |  |
|
| PHP | |
|
» libzip 0.9.3 |
||
| ADT | ||
Protect your family and valuables with Home Security Systems |
||
- 2011-05-13| Copyright © SecurityReason.com. All Rights Reserved. |