Date: Fri, 31 Mar 2000 20:42:05 -0600 From: Matt Carothers <matt@TELEPATH.COM> Subject: fcheck v.2.7.45 and insecure use of Perl's system() To: BUGTRAQ@SECURITYFOCUS.COM This message is in MIME format. The first part should be readable text, while the remaining parts are likely unreadable without MIME-aware tools. Send mail to mime@docserver.cac.washington.edu for more info. ---2029898804-1764495516-954556925=:12106 Content-Type: TEXT/PLAIN; charset=US-ASCII The short explanation: fcheck is a file integrity checker written in perl. It can send warnings to syslog via an external program such as logger(1). Because it calls system() with a scalar argument, a malicious user can cause it to execute programs by creating files with shell metacharacters in their names. Apply the attached patch to fix the problem and don't ever call system() with a scalar argument. The long explanation: fcheck is a file integrity checker written in perl. See http://securityfocus.com/templates/tools_search.html?query=fcheck&index=tools for a more detailed description and a download site. Version v.2.7.45 is vulnerable. Any older version which includes syslog logging is probably vulnerable as well. When called with the -l flag, fcheck sends warnings to syslog instead of stdout by calling a program defined in the fcheck configuration file. Unfortunately, the perl code looks like this: $cmd=sprintf("%s -t %s \"WARNING: File addition: [%s] %s [%s %s %s %s %s]\"\n", $Logger, $Me, $ThisHost, $Name, $Inode, &ShowPerms($Perms), $Size, &ctime($Time), $Name); system($cmd); Calling system() this way with a scalar argument rather than an array passes the contents of the variable to the system shell (e.g. /bin/sh -c), which interprets shell metacharacters. This isn't new, and it isn't a bug in perl. The behavior is well documented in the perlfunc man page. The impact is that if a malicious user can create files in a directory monitored by fcheck, and fcheck runs with the -l switch, the user can execute nearly arbitrary programs by using shell metacharacters in the filenames. Example: [matt@shai-hulud /home/public]$ touch 'blah`touch exploit`' [matt@shai-hulud /home/public]$ ls -l '/home/public/blah`touch exploit`' -rw-r--r-- 1 matt wheel 0 Mar 3 21:17 /home/public/blah`touch exploit` After running ./fcheck -asl as root from /usr/local/fcheck, I see this in /var/log/messages (note that the end of the filename is missing): Mar 4 03:24:22 shai-hulud fcheck: WARNING: File addition: [shai-hulud.telepath.com] /home/public/ [464662 -rw-r--r-- 0 Mar 04 03:18 2000 /home/public/blah] And here's the result of the command execution: -rw-r--r-- 1 root wheel 0 Mar 3 21:24 /usr/local/fcheck/exploit To resolve the problem, apply the attached patch, which alters the code like so: $warning=sprintf("\"WARNING: File addition: [%s] %s [%s %s %s %s %s]\"", $ThisHost, $Name, $Inode, &ShowPerms($Perms), $Size, &ctime($Time), $Name); system($Logger, "-t", $Me, $warning); I notified the author of the problem about a month ago, but after first insisting that double quotes disarm metacharacters and then that it's impossible to create a file with backticks in its name, he stopped responding to my emails. Go figure. OBRant: Ladies and gentlemen, there's a little lost puppy out there in the cold rain scratching on your back door, and the tag on its collar says "Security." Are we going to swat this puppy on the nose with the rolled up newspaper of bad programming habits? Or are we going to let it in, dry it off, feed it, and clean up the carpet when it craps all over the place? The decision is up to you, my friends, but I for one am heading to the store for some puppy chow and a pooperscooper. - Matt ---2029898804-1764495516-954556925=:12106 Content-Type: TEXT/PLAIN; charset=US-ASCII; name="fcheck.patch" Content-Transfer-Encoding: BASE64 Content-ID: <Pine.BSI.4.05L.10003312042050.12106@zoom1.telepath.com> Content-Description: Content-Disposition: attachment; filename="fcheck.patch" LS0tIGZjaGVjay5vcmlnCU1vbiBNYXIgMjAgMTc6Mjc6MDQgMjAwMA0KKysr IGZjaGVjawlGcmkgTWFyIDMxIDE4OjEzOjM4IDIwMDANCkBAIC0zMjcsMTEg KzMyNywxMSBAQA0KICAgICAgICAgICAgICAgew0KICAgICAgICAgICAgICAg aWYoJExvZ2dpbmcpDQogCQl7DQotICAgICAgICAgICAgICAgICRjbWQ9c3By aW50ZigiJXMgLXQgJXMgXCJXQVJOSU5HOiBbJXNdICVzIFslcyAgJXMgICVz ICAlcyAgJXNdICBXYXMgbW9kaWZpZWQgdG8gcmVmbGVjdCB0aGUgZm9sbG93 aW5nOiAgWyVzICAlcyAgJXMgICVzICAlc11cIlxuIiwNCi0gICAgICAgICAg ICAgICAgJExvZ2dlciwgJE1lLCAkVGhpc0hvc3QsICRMX05hbWUsICRCX0lu b2RlLCAmU2hvd1Blcm1zKCRCX1Blcm1zKSwNCisgICAgICAgICAgICAgICAg JHdhcm5pbmc9c3ByaW50ZigiXCJXQVJOSU5HOiBbJXNdICVzIFslcyAgJXMg ICVzICAlcyAgJXNdICBXYXMgbW9kaWZpZWQgdG8gcmVmbGVjdCB0aGUgZm9s bG93aW5nOiAgWyVzICAlcyAgJXMgICVzICAlc11cIiIsDQorICAgICAgICAg ICAgICAgICRUaGlzSG9zdCwgJExfTmFtZSwgJEJfSW5vZGUsICZTaG93UGVy bXMoJEJfUGVybXMpLA0KICAgICAgICAgICAgICAgICAkQl9TaXplLCAmY3Rp bWUoJEJfVGltZSksICRCX05hbWUsICRMX0lub2RlLCAmU2hvd1Blcm1zKCRM X1Blcm1zKSwNCiAgICAgICAgICAgICAgICAgJExfU2l6ZSwgJmN0aW1lKCRM X1RpbWUpLCAkTF9OYW1lKTsNCi0JCXN5c3RlbSgkY21kKTsNCisJCXN5c3Rl bSgkTG9nZ2VyLCAiLXQiLCAkTWUsICR3YXJuaW5nKTsNCiAJCX0NCiAJICAg ICAgZWxzZQ0KIAkJew0KQEAgLTM1MSwxMSArMzUxLDExIEBADQogCQl7DQog ICAgICAgICAgICAgICBpZigkTG9nZ2luZykNCiAJCXsNCi0gICAgICAgICAg ICAgICAgJGNtZD1zcHJpbnRmKCIlcyAtdCAlcyBcIldBUk5JTkc6IFslc10g JXMgWyVzICAlcyAgJXMgICVzICAlc10gIFdhcyBtb2RpZmllZCB0byByZWZs ZWN0IHRoZSBmb2xsb3dpbmc6ICBbJXMgICVzICAlcyAgJXMgICVzXVwiXG4i LA0KLSAgICAgICAgICAgICAgICAkTG9nZ2VyLCAkTWUsICRUaGlzSG9zdCwg JExfTmFtZSwgJEJfSW5vZGUsICZTaG93UGVybXMoJEJfUGVybXMpLA0KKyAg ICAgICAgICAgICAgICAkd2FybmluZz1zcHJpbnRmKCJcIldBUk5JTkc6IFsl c10gJXMgWyVzICAlcyAgJXMgICVzICAlc10gIFdhcyBtb2RpZmllZCB0byBy ZWZsZWN0IHRoZSBmb2xsb3dpbmc6ICBbJXMgICVzICAlcyAgJXMgICVzXVwi IiwNCisgICAgICAgICAgICAgICAgJFRoaXNIb3N0LCAkTF9OYW1lLCAkQl9J bm9kZSwgJlNob3dQZXJtcygkQl9QZXJtcyksDQogICAgICAgICAgICAgICAg ICRCX1NpemUsICZjdGltZSgkQl9UaW1lKSwgJEJfTmFtZSwgJExfSW5vZGUs ICZTaG93UGVybXMoJExfUGVybXMpLA0KICAgICAgICAgICAgICAgICAkTF9T aXplLCAmY3RpbWUoJExfVGltZSksICRMX05hbWUpOw0KLQkJc3lzdGVtKCRj bWQpOw0KKwkJc3lzdGVtKCRMb2dnZXIsICItdCIsICRNZSwgJHdhcm5pbmcp Ow0KIAkJfQ0KIAkgICAgICBlbHNlDQogCQl7DQpAQCAtMzgwLDExICszODAs MTEgQEANCiAJICAgICAgew0KIAkgICAgICBpZigkTG9nZ2luZykNCiAJCXsN Ci0gICAgICAgICAgICAgICAgJGNtZD1zcHJpbnRmKCIlcyAtdCAlcyBcIldB Uk5JTkc6IFslc10gJXMgWyVzICAlcyAgJXMgICVzICAlc10gIFdhcyBtb2Rp ZmllZCB0byByZWZsZWN0IHRoZSBmb2xsb3dpbmc6ICBbJXMgICVzICAlcyAg JXMgICVzXVwiXG4iLA0KLSAgICAgICAgICAgICAgICAkTG9nZ2VyLCAkTWUs ICRUaGlzSG9zdCwgJExfTmFtZSwgJEJfSW5vZGUsICZTaG93UGVybXMoJEJf UGVybXMpLA0KKyAgICAgICAgICAgICAgICAkd2FybmluZz1zcHJpbnRmKCJc IldBUk5JTkc6IFslc10gJXMgWyVzICAlcyAgJXMgICVzICAlc10gIFdhcyBt b2RpZmllZCB0byByZWZsZWN0IHRoZSBmb2xsb3dpbmc6ICBbJXMgICVzICAl cyAgJXMgICVzXVwiIiwNCisgICAgICAgICAgICAgICAgJFRoaXNIb3N0LCAk TF9OYW1lLCAkQl9Jbm9kZSwgJlNob3dQZXJtcygkQl9QZXJtcyksDQogICAg ICAgICAgICAgICAgICRCX1NpemUsICZjdGltZSgkQl9UaW1lKSwgJEJfTmFt ZSwgJExfSW5vZGUsICZTaG93UGVybXMoJExfUGVybXMpLA0KICAgICAgICAg ICAgICAgICAkTF9TaXplLCAmY3RpbWUoJExfVGltZSksICRMX05hbWUpOw0K LQkJc3lzdGVtKCRjbWQpOw0KKwkJc3lzdGVtKCRMb2dnZXIsICItdCIsICRN ZSwgJHdhcm5pbmcpOw0KIAkJfQ0KIAkgICAgICBlbHNlDQogCQl7DQpAQCAt NDA0LDExICs0MDQsMTEgQEANCiAJCXsNCiAgICAgICAgICAgICAgIGlmKCRM b2dnaW5nKQ0KIAkJew0KLSAgICAgICAgICAgICAgICAkY21kPXNwcmludGYo IiVzIC10ICVzIFwiV0FSTklORzogWyVzXSAlcyBbJXMgICVzICAlcyAgJXMg ICVzXSAgV2FzIG1vZGlmaWVkIHRvIHJlZmxlY3QgdGhlIGZvbGxvd2luZzog IFslcyAgJXMgICVzICAlcyAgJXNdXCJcbiIsDQotICAgICAgICAgICAgICAg ICRMb2dnZXIsICRNZSwgJFRoaXNIb3N0LCAkTF9OYW1lLCAkQl9Jbm9kZSwg JlNob3dQZXJtcygkQl9QZXJtcyksDQorICAgICAgICAgICAgICAgICR3YXJu aW5nPXNwcmludGYoIlwiV0FSTklORzogWyVzXSAlcyBbJXMgICVzICAlcyAg JXMgICVzXSAgV2FzIG1vZGlmaWVkIHRvIHJlZmxlY3QgdGhlIGZvbGxvd2lu ZzogIFslcyAgJXMgICVzICAlcyAgJXNdXCIiLA0KKyAgICAgICAgICAgICAg ICAkVGhpc0hvc3QsICRMX05hbWUsICRCX0lub2RlLCAmU2hvd1Blcm1zKCRC X1Blcm1zKSwNCiAgICAgICAgICAgICAgICAgJEJfU2l6ZSwgJmN0aW1lKCRC X1RpbWUpLCAkQl9OYW1lLCAkTF9Jbm9kZSwgJlNob3dQZXJtcygkTF9QZXJt cyksDQogICAgICAgICAgICAgICAgICRMX1NpemUsICZjdGltZSgkTF9UaW1l KSwgJExfTmFtZSk7DQotCQlzeXN0ZW0oJGNtZCk7DQorCQlzeXN0ZW0oJExv Z2dlciwgIi10IiwgJE1lLCAkd2FybmluZyk7DQogCQl9DQogCSAgICAgIGVs c2UNCiAJCXsNCkBAIC00MzUsOSArNDM1LDkgQEANCiAgICAgICAoJElub2Rl LCAkUGVybXMsICRTaXplLCAkVGltZSwgJE5hbWUsICRDUkMpID0gc3BsaXQo IiEiLCAkTGl2ZSk7DQogICAgICAgaWYoJExvZ2dpbmcpDQogCXsNCi0gICAg ICAgICRjbWQ9c3ByaW50ZigiJXMgLXQgJXMgXCJXQVJOSU5HOiBGaWxlIGFk ZGl0aW9uOiBbJXNdICVzICBbJXMgICVzICAlcyAgJXMgICVzXVwiXG4iLA0K LSAgICAgICAgJExvZ2dlciwgJE1lLCAkVGhpc0hvc3QsICROYW1lLCAkSW5v ZGUsICZTaG93UGVybXMoJFBlcm1zKSwgJFNpemUsICZjdGltZSgkVGltZSks ICROYW1lKTsNCi0Jc3lzdGVtKCRjbWQpOw0KKyAgICAgICAgJHdhcm5pbmc9 c3ByaW50ZigiXCJXQVJOSU5HOiBGaWxlIGFkZGl0aW9uOiBbJXNdICVzICBb JXMgICVzICAlcyAgJXMgICVzXVwiIiwNCisgICAgICAgICRUaGlzSG9zdCwg JE5hbWUsICRJbm9kZSwgJlNob3dQZXJtcygkUGVybXMpLCAkU2l6ZSwgJmN0 aW1lKCRUaW1lKSwgJE5hbWUpOw0KKwlzeXN0ZW0oJExvZ2dlciwgIi10Iiwg JE1lLCAkd2FybmluZyk7DQogCX0NCiAgICAgICBlbHNlDQogCXsNCkBAIC00 NTYsOSArNDU2LDkgQEANCiAgICAgICAoJElub2RlLCAkUGVybXMsICRTaXpl LCAkVGltZSwgJE5hbWUsICRDUkMpID0gc3BsaXQoIiEiLCAkQmFzZSk7DQog ICAgICAgaWYoJExvZ2dpbmcpDQogCXsNCi0gICAgICAgICRjbWQ9c3ByaW50 ZigiJXMgLXQgJXMgXCJXQVJOSU5HOiBGaWxlIGRlbGV0aW9uOiBbJXNdICVz ICBbJXMgICVzICAlcyAgJXMgICVzXVwiXG4iLA0KLSAgICAgICAgJExvZ2dl ciwgJE1lLCAkVGhpc0hvc3QsICROYW1lLCAkSW5vZGUsICZTaG93UGVybXMo JFBlcm1zKSwgJFNpemUsICZjdGltZSgkVGltZSksICROYW1lKTsNCi0Jc3lz dGVtKCRjbWQpOw0KKyAgICAgICAgJHdhcm5pbmc9c3ByaW50ZigiXCJXQVJO SU5HOiBGaWxlIGRlbGV0aW9uOiBbJXNdICVzICBbJXMgICVzICAlcyAgJXMg ICVzXVwiIiwNCisgICAgICAgICRUaGlzSG9zdCwgJE5hbWUsICRJbm9kZSwg JlNob3dQZXJtcygkUGVybXMpLCAkU2l6ZSwgJmN0aW1lKCRUaW1lKSwgJE5h bWUpOw0KKwlzeXN0ZW0oJExvZ2dlciwgIi10IiwgJE1lLCAkd2FybmluZyk7 DQogCX0NCiAgICAgICBlbHNlDQogCXsNCg== ---2029898804-1764495516-954556925=:12106--