[LWN Logo]

Date:         Fri, 31 Mar 2000 20:42:05 -0600
From: Matt Carothers <matt@TELEPATH.COM>
Subject:      fcheck v.2.7.45 and insecure use of Perl's system()
To: BUGTRAQ@SECURITYFOCUS.COM

  This message is in MIME format.  The first part should be readable text,
  while the remaining parts are likely unreadable without MIME-aware tools.
  Send mail to mime@docserver.cac.washington.edu for more info.

---2029898804-1764495516-954556925=:12106
Content-Type: TEXT/PLAIN; charset=US-ASCII

The short explanation:

fcheck is a file integrity checker written in perl.  It can send
warnings to syslog via an external program such as logger(1).  Because
it calls system() with a scalar argument, a malicious user can cause it
to execute programs by creating files with shell metacharacters in their
names.  Apply the attached patch to fix the problem and don't ever call
system() with a scalar argument.

The long explanation:

fcheck is a file integrity checker written in perl.  See
http://securityfocus.com/templates/tools_search.html?query=fcheck&index=tools
for a more detailed description and a download site.

Version v.2.7.45 is vulnerable.  Any older version which includes syslog
logging is probably vulnerable as well.

When called with the -l flag, fcheck sends warnings to syslog instead of
stdout by calling a program defined in the fcheck configuration file.
Unfortunately, the perl code looks like this:

	$cmd=sprintf("%s -t %s \"WARNING: File addition: [%s] %s  [%s  %s %s  %s  %s]\"\n",
		$Logger, $Me, $ThisHost, $Name, $Inode, &ShowPerms($Perms),
		$Size, &ctime($Time), $Name);
	system($cmd);

Calling system() this way with a scalar argument rather than an array
passes the contents of the variable to the system shell (e.g. /bin/sh -c),
which interprets shell metacharacters.  This isn't new, and it isn't a
bug in perl.  The behavior is well documented in the perlfunc man page.

The impact is that if a malicious user can create files in a directory
monitored by fcheck, and fcheck runs with the -l switch, the user can
execute nearly arbitrary programs by using shell metacharacters in the
filenames.

Example:

[matt@shai-hulud /home/public]$ touch 'blah`touch exploit`'
[matt@shai-hulud /home/public]$ ls -l '/home/public/blah`touch exploit`'
-rw-r--r--  1 matt  wheel  0 Mar  3 21:17 /home/public/blah`touch exploit`

After running ./fcheck -asl as root from /usr/local/fcheck, I see this in
/var/log/messages (note that the end of the filename is missing):

Mar  4 03:24:22 shai-hulud fcheck: WARNING: File addition: [shai-hulud.telepath.com] /home/public/  [464662  -rw-r--r--  0  Mar 04 03:18 2000  /home/public/blah]

And here's the result of the command execution:

-rw-r--r--  1 root  wheel  0 Mar  3 21:24 /usr/local/fcheck/exploit

To resolve the problem, apply the attached patch, which alters the code
like so:

	$warning=sprintf("\"WARNING: File addition: [%s] %s  [%s  %s  %s  %s %s]\"",
		$ThisHost, $Name, $Inode, &ShowPerms($Perms), $Size,
		&ctime($Time), $Name);
        system($Logger, "-t", $Me, $warning);

I notified the author of the problem about a month ago, but after first
insisting that double quotes disarm metacharacters and then that it's
impossible to create a file with backticks in its name, he stopped
responding to my emails.  Go figure.

OBRant:

Ladies and gentlemen, there's a little lost puppy out there in the cold
rain scratching on your back door, and the tag on its collar says "Security."
Are we going to swat this puppy on the nose with the rolled up newspaper of
bad programming habits?  Or are we going to let it in, dry it off, feed it,
and clean up the carpet when it craps all over the place?  The decision is
up to you, my friends, but I for one am heading to the store for some puppy
chow and a pooperscooper.

- Matt

---2029898804-1764495516-954556925=:12106
Content-Type: TEXT/PLAIN; charset=US-ASCII; name="fcheck.patch"
Content-Transfer-Encoding: BASE64
Content-ID: <Pine.BSI.4.05L.10003312042050.12106@zoom1.telepath.com>
Content-Description:
Content-Disposition: attachment; filename="fcheck.patch"

LS0tIGZjaGVjay5vcmlnCU1vbiBNYXIgMjAgMTc6Mjc6MDQgMjAwMA0KKysr
IGZjaGVjawlGcmkgTWFyIDMxIDE4OjEzOjM4IDIwMDANCkBAIC0zMjcsMTEg
KzMyNywxMSBAQA0KICAgICAgICAgICAgICAgew0KICAgICAgICAgICAgICAg
aWYoJExvZ2dpbmcpDQogCQl7DQotICAgICAgICAgICAgICAgICRjbWQ9c3By
aW50ZigiJXMgLXQgJXMgXCJXQVJOSU5HOiBbJXNdICVzIFslcyAgJXMgICVz
ICAlcyAgJXNdICBXYXMgbW9kaWZpZWQgdG8gcmVmbGVjdCB0aGUgZm9sbG93
aW5nOiAgWyVzICAlcyAgJXMgICVzICAlc11cIlxuIiwNCi0gICAgICAgICAg
ICAgICAgJExvZ2dlciwgJE1lLCAkVGhpc0hvc3QsICRMX05hbWUsICRCX0lu
b2RlLCAmU2hvd1Blcm1zKCRCX1Blcm1zKSwNCisgICAgICAgICAgICAgICAg
JHdhcm5pbmc9c3ByaW50ZigiXCJXQVJOSU5HOiBbJXNdICVzIFslcyAgJXMg
ICVzICAlcyAgJXNdICBXYXMgbW9kaWZpZWQgdG8gcmVmbGVjdCB0aGUgZm9s
bG93aW5nOiAgWyVzICAlcyAgJXMgICVzICAlc11cIiIsDQorICAgICAgICAg
ICAgICAgICRUaGlzSG9zdCwgJExfTmFtZSwgJEJfSW5vZGUsICZTaG93UGVy
bXMoJEJfUGVybXMpLA0KICAgICAgICAgICAgICAgICAkQl9TaXplLCAmY3Rp
bWUoJEJfVGltZSksICRCX05hbWUsICRMX0lub2RlLCAmU2hvd1Blcm1zKCRM
X1Blcm1zKSwNCiAgICAgICAgICAgICAgICAgJExfU2l6ZSwgJmN0aW1lKCRM
X1RpbWUpLCAkTF9OYW1lKTsNCi0JCXN5c3RlbSgkY21kKTsNCisJCXN5c3Rl
bSgkTG9nZ2VyLCAiLXQiLCAkTWUsICR3YXJuaW5nKTsNCiAJCX0NCiAJICAg
ICAgZWxzZQ0KIAkJew0KQEAgLTM1MSwxMSArMzUxLDExIEBADQogCQl7DQog
ICAgICAgICAgICAgICBpZigkTG9nZ2luZykNCiAJCXsNCi0gICAgICAgICAg
ICAgICAgJGNtZD1zcHJpbnRmKCIlcyAtdCAlcyBcIldBUk5JTkc6IFslc10g
JXMgWyVzICAlcyAgJXMgICVzICAlc10gIFdhcyBtb2RpZmllZCB0byByZWZs
ZWN0IHRoZSBmb2xsb3dpbmc6ICBbJXMgICVzICAlcyAgJXMgICVzXVwiXG4i
LA0KLSAgICAgICAgICAgICAgICAkTG9nZ2VyLCAkTWUsICRUaGlzSG9zdCwg
JExfTmFtZSwgJEJfSW5vZGUsICZTaG93UGVybXMoJEJfUGVybXMpLA0KKyAg
ICAgICAgICAgICAgICAkd2FybmluZz1zcHJpbnRmKCJcIldBUk5JTkc6IFsl
c10gJXMgWyVzICAlcyAgJXMgICVzICAlc10gIFdhcyBtb2RpZmllZCB0byBy
ZWZsZWN0IHRoZSBmb2xsb3dpbmc6ICBbJXMgICVzICAlcyAgJXMgICVzXVwi
IiwNCisgICAgICAgICAgICAgICAgJFRoaXNIb3N0LCAkTF9OYW1lLCAkQl9J
bm9kZSwgJlNob3dQZXJtcygkQl9QZXJtcyksDQogICAgICAgICAgICAgICAg
ICRCX1NpemUsICZjdGltZSgkQl9UaW1lKSwgJEJfTmFtZSwgJExfSW5vZGUs
ICZTaG93UGVybXMoJExfUGVybXMpLA0KICAgICAgICAgICAgICAgICAkTF9T
aXplLCAmY3RpbWUoJExfVGltZSksICRMX05hbWUpOw0KLQkJc3lzdGVtKCRj
bWQpOw0KKwkJc3lzdGVtKCRMb2dnZXIsICItdCIsICRNZSwgJHdhcm5pbmcp
Ow0KIAkJfQ0KIAkgICAgICBlbHNlDQogCQl7DQpAQCAtMzgwLDExICszODAs
MTEgQEANCiAJICAgICAgew0KIAkgICAgICBpZigkTG9nZ2luZykNCiAJCXsN
Ci0gICAgICAgICAgICAgICAgJGNtZD1zcHJpbnRmKCIlcyAtdCAlcyBcIldB
Uk5JTkc6IFslc10gJXMgWyVzICAlcyAgJXMgICVzICAlc10gIFdhcyBtb2Rp
ZmllZCB0byByZWZsZWN0IHRoZSBmb2xsb3dpbmc6ICBbJXMgICVzICAlcyAg
JXMgICVzXVwiXG4iLA0KLSAgICAgICAgICAgICAgICAkTG9nZ2VyLCAkTWUs
ICRUaGlzSG9zdCwgJExfTmFtZSwgJEJfSW5vZGUsICZTaG93UGVybXMoJEJf
UGVybXMpLA0KKyAgICAgICAgICAgICAgICAkd2FybmluZz1zcHJpbnRmKCJc
IldBUk5JTkc6IFslc10gJXMgWyVzICAlcyAgJXMgICVzICAlc10gIFdhcyBt
b2RpZmllZCB0byByZWZsZWN0IHRoZSBmb2xsb3dpbmc6ICBbJXMgICVzICAl
cyAgJXMgICVzXVwiIiwNCisgICAgICAgICAgICAgICAgJFRoaXNIb3N0LCAk
TF9OYW1lLCAkQl9Jbm9kZSwgJlNob3dQZXJtcygkQl9QZXJtcyksDQogICAg
ICAgICAgICAgICAgICRCX1NpemUsICZjdGltZSgkQl9UaW1lKSwgJEJfTmFt
ZSwgJExfSW5vZGUsICZTaG93UGVybXMoJExfUGVybXMpLA0KICAgICAgICAg
ICAgICAgICAkTF9TaXplLCAmY3RpbWUoJExfVGltZSksICRMX05hbWUpOw0K
LQkJc3lzdGVtKCRjbWQpOw0KKwkJc3lzdGVtKCRMb2dnZXIsICItdCIsICRN
ZSwgJHdhcm5pbmcpOw0KIAkJfQ0KIAkgICAgICBlbHNlDQogCQl7DQpAQCAt
NDA0LDExICs0MDQsMTEgQEANCiAJCXsNCiAgICAgICAgICAgICAgIGlmKCRM
b2dnaW5nKQ0KIAkJew0KLSAgICAgICAgICAgICAgICAkY21kPXNwcmludGYo
IiVzIC10ICVzIFwiV0FSTklORzogWyVzXSAlcyBbJXMgICVzICAlcyAgJXMg
ICVzXSAgV2FzIG1vZGlmaWVkIHRvIHJlZmxlY3QgdGhlIGZvbGxvd2luZzog
IFslcyAgJXMgICVzICAlcyAgJXNdXCJcbiIsDQotICAgICAgICAgICAgICAg
ICRMb2dnZXIsICRNZSwgJFRoaXNIb3N0LCAkTF9OYW1lLCAkQl9Jbm9kZSwg
JlNob3dQZXJtcygkQl9QZXJtcyksDQorICAgICAgICAgICAgICAgICR3YXJu
aW5nPXNwcmludGYoIlwiV0FSTklORzogWyVzXSAlcyBbJXMgICVzICAlcyAg
JXMgICVzXSAgV2FzIG1vZGlmaWVkIHRvIHJlZmxlY3QgdGhlIGZvbGxvd2lu
ZzogIFslcyAgJXMgICVzICAlcyAgJXNdXCIiLA0KKyAgICAgICAgICAgICAg
ICAkVGhpc0hvc3QsICRMX05hbWUsICRCX0lub2RlLCAmU2hvd1Blcm1zKCRC
X1Blcm1zKSwNCiAgICAgICAgICAgICAgICAgJEJfU2l6ZSwgJmN0aW1lKCRC
X1RpbWUpLCAkQl9OYW1lLCAkTF9Jbm9kZSwgJlNob3dQZXJtcygkTF9QZXJt
cyksDQogICAgICAgICAgICAgICAgICRMX1NpemUsICZjdGltZSgkTF9UaW1l
KSwgJExfTmFtZSk7DQotCQlzeXN0ZW0oJGNtZCk7DQorCQlzeXN0ZW0oJExv
Z2dlciwgIi10IiwgJE1lLCAkd2FybmluZyk7DQogCQl9DQogCSAgICAgIGVs
c2UNCiAJCXsNCkBAIC00MzUsOSArNDM1LDkgQEANCiAgICAgICAoJElub2Rl
LCAkUGVybXMsICRTaXplLCAkVGltZSwgJE5hbWUsICRDUkMpID0gc3BsaXQo
IiEiLCAkTGl2ZSk7DQogICAgICAgaWYoJExvZ2dpbmcpDQogCXsNCi0gICAg
ICAgICRjbWQ9c3ByaW50ZigiJXMgLXQgJXMgXCJXQVJOSU5HOiBGaWxlIGFk
ZGl0aW9uOiBbJXNdICVzICBbJXMgICVzICAlcyAgJXMgICVzXVwiXG4iLA0K
LSAgICAgICAgJExvZ2dlciwgJE1lLCAkVGhpc0hvc3QsICROYW1lLCAkSW5v
ZGUsICZTaG93UGVybXMoJFBlcm1zKSwgJFNpemUsICZjdGltZSgkVGltZSks
ICROYW1lKTsNCi0Jc3lzdGVtKCRjbWQpOw0KKyAgICAgICAgJHdhcm5pbmc9
c3ByaW50ZigiXCJXQVJOSU5HOiBGaWxlIGFkZGl0aW9uOiBbJXNdICVzICBb
JXMgICVzICAlcyAgJXMgICVzXVwiIiwNCisgICAgICAgICRUaGlzSG9zdCwg
JE5hbWUsICRJbm9kZSwgJlNob3dQZXJtcygkUGVybXMpLCAkU2l6ZSwgJmN0
aW1lKCRUaW1lKSwgJE5hbWUpOw0KKwlzeXN0ZW0oJExvZ2dlciwgIi10Iiwg
JE1lLCAkd2FybmluZyk7DQogCX0NCiAgICAgICBlbHNlDQogCXsNCkBAIC00
NTYsOSArNDU2LDkgQEANCiAgICAgICAoJElub2RlLCAkUGVybXMsICRTaXpl
LCAkVGltZSwgJE5hbWUsICRDUkMpID0gc3BsaXQoIiEiLCAkQmFzZSk7DQog
ICAgICAgaWYoJExvZ2dpbmcpDQogCXsNCi0gICAgICAgICRjbWQ9c3ByaW50
ZigiJXMgLXQgJXMgXCJXQVJOSU5HOiBGaWxlIGRlbGV0aW9uOiBbJXNdICVz
ICBbJXMgICVzICAlcyAgJXMgICVzXVwiXG4iLA0KLSAgICAgICAgJExvZ2dl
ciwgJE1lLCAkVGhpc0hvc3QsICROYW1lLCAkSW5vZGUsICZTaG93UGVybXMo
JFBlcm1zKSwgJFNpemUsICZjdGltZSgkVGltZSksICROYW1lKTsNCi0Jc3lz
dGVtKCRjbWQpOw0KKyAgICAgICAgJHdhcm5pbmc9c3ByaW50ZigiXCJXQVJO
SU5HOiBGaWxlIGRlbGV0aW9uOiBbJXNdICVzICBbJXMgICVzICAlcyAgJXMg
ICVzXVwiIiwNCisgICAgICAgICRUaGlzSG9zdCwgJE5hbWUsICRJbm9kZSwg
JlNob3dQZXJtcygkUGVybXMpLCAkU2l6ZSwgJmN0aW1lKCRUaW1lKSwgJE5h
bWUpOw0KKwlzeXN0ZW0oJExvZ2dlciwgIi10IiwgJE1lLCAkd2FybmluZyk7
DQogCX0NCiAgICAgICBlbHNlDQogCXsNCg==
---2029898804-1764495516-954556925=:12106--