Stories
Slash Boxes
Comments

All the Perl that's Practical to Extract and Report

use Perl Log In

Log In

[ Create a new account ]

Perl

IlyaM

RPC without borders

SOAP::Lite

More on Module News

Also by ziggy

Serious SOAP::Lite Security Hole Discovered

posted by ziggy on 2002.04.08 20:00   Printer-friendly
IlyaM writes "About four months ago there was Phrack article named RPC without borders which describes quite serious security hole in SOAP::Lite module. In short, SOAP::Lite allows to call any Perl subroutine on side of SOAP::Lite based server. Strangely enough it has gone mostly unnoticed and it hasn't been fixed. I've tried to research it further and wrote a simple exploit which instantly gives remote shell access to computer which runs a SOAP::Lite based server. It took me less than two hours to write this exploit. So assuming that security hole in SOAP::Lite have been known for a very long time, there is no reason to think that nobody else (i.e. blackhats) haven't done it."

This is a big one, and relates to how SOAP::Lite dispatches method calls at runtime, and how Perl executes dynamic method calls. The very best thing you can do is take down your SOAP servers until an update is available.

The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.

Serious SOAP::Lite Security Hole Discovered 20 Comments More | Login | Reply /

 Full
 Abbreviated
 Hidden
More | Login | Reply
Loading... please wait.

  • Calling all programmers. (Score:4, Insightful)

    by cwest (1514) on 2002.04.08 20:54 (#6775) Homepage Journal
    I would like to urge anyone with a few spare tuits to get get on the soap-lite [perl.org] mailing list, download a copy of the latest sources [soaplite.com] and have a crack at this thing. SOAP and SOAP::Lite are both very popular and used by many people and Companies. Paul has done lots and lots of great work by providing us with SOAP::Lite, lets give him some help as a community. Thanks to the wonders of wireless, I'm downloading the source from the "throne" right now. I urge you all to do the same.
    --
    Casey West

  • Part of the reason I wrote my RPC::XML at all was because I wasn't comfortable with the way that Frontier::RPC published functions simply by "redirecting" calls to a specified package name-space. I don't know that it would be vulnerable, but I suspect it probably is. I was also bothered by this aspect of SOAP::Lite when I started using it as well, but I lacked the bandwidth to try and roll my own on that count. I feel pretty certain (though not 100%) that the server classes in RPC::XML are not vulnerable to this. I don't route incoming calls to an arbitrary namespace, I use a method-table. If you don't have an engraved invitation, you don't get to dance.

    So I'm doing the next best thing... joined up on the soaplite mailing list, am printing out the phrack article, and have in hand a sample exploit script Ilya was kind enough to send me. Looking forward to comparing notes with you guys tomorrow...

    --rjray

    --

    --rjray

    • It was pointed out to me on perlmonks [perlmonks.org] that Frontier::Daemon doesn't behave in the way I thought it did; it, too, requires that methods be explicitly added. I thought I had seen an example of using it with a class-namespace dispatch configuration, but I can't find that now that I look for it again.

      --rjray

      --

      --rjray

  • Patch (Score:3, Insightful)

    by IlyaM (2933) <ilya@martynov.org> on 2002.04.09 14:37 (#6793) Homepage Journal
    I've posted patch [yahoo.com] on soaplist maillist which should fix worst problem with SOAP::Lite. That is ability to call any Perl subrotine using fully qualified package names.
    --

    Ilya Martynov (http://martynov.org/ [martynov.org])

  • SOAP::Lite (Score:2, Interesting)

    by TorgoX (1933)
    Everyone makes mistakes, but I'm astonished at Kulchenko (the SOAP::Lite author) for letting this one happen. It's appalling!

    NOTE TO SELF: When a user (especially an untrusted one!) gives you data that you expect to be in a particular format, CHECK THAT IT IS IN THAT FORMAT, FOR CHRISSAKES!

    This whole thing would have been avoided if anyone had had, earlier on, the wits to do what Ilya M did, basically die "BAD JUJU" unless m/\A[a-zA-Z][a-zA-Z_0-9]*\z/

    I say that unless Kulchenko shows up and immediately

    • Re:SOAP::Lite (Score:4, Insightful)

      by jesse (2531) on 2002.04.10 0:55 (#6808) Journal
      Of course that leads into the discussion about how CPAN is a relative anarchy. SOAP::Lite is a namespace that pavel has registered and "owns". I've never seen anything that says there's a requirement that you have to maintain your code well to get a namespace registraion and upload it to CPAN. Personally, I'd love to see a tiered structure, as has been previously proposes, with "standard" modules that are maintained and managed as a standard library, "optional" modules with a refereed namespace and some level of QA and then the third tier free for all, which we all know and love. But yeah, we need a more general way for dealing with major security holes in popular modules.

    • This mistake is common in other XML-RPC libraries I've seen. It's hard enough to make the durn things work in the first place, let alone get the security right. This bug can be fixed, although SOAP::Lite allows *a lot* of leeway in its dispatch method.

      Some work is being done on the Frontier::RPC module(s). We'll have to look into this further.

    • Re:SOAP::Lite (Score:4, Informative)

      by paulclinger (1709) on 2002.04.10 21:29 (#6850)
      > but I'm astonished at Kulchenko (the SOAP::Lite author) for letting this one happen.
      I'm with you. I'm also astonished to find that it happened.

      > CHECK THAT IT IS IN THAT FORMAT, FOR CHRISSAKES!
      It's expected to be in that format. The reason for the problem is that method name wasn't verified against list of allowed methods when *class name is on the list of allowed classes*.

      > MONTHS after this was mentioned in Phrack
      Do you read Phrack daily? I don't read it at all. Randall brought it to my attention some time ago, and I was surprised to find later that it was discussed on perlmonks and nobody told me about that discussion. Unfortunaty with my schedule I'm only an occasional reader of use.perl, perlmonks and other perl sites.

      > and ownership gets transferred immediately to someone else
      Even though there is no such procedure, I wouldn't mind to know more about the person who would like to take this ownership.

      I'm not trying to downplay the issue. It's my fault. In addition to that, it's probably the worse time for releasing a new version: I'm moving and have all my computers packed and shipped. I do have copies and repository with me, however I don't have my testing environment and only sporadic online access in my hotel. Still I plan to release bugfix by the next week. If you don't think it's reasonable, let me know.

      Best wishes, Paul.

  • This is news? (Score:3, Insightful)

    by samtregar (2699) on 2002.04.10 0:50 (#6807) Homepage Journal
    Last I heard Paul had a patch ready to go for the next release.

    And while I'm posting mad, anyone that thought it was secure to run a public SOAP service on the Internet should get off the pipe. Villifying Paul for the total lack of security in SOAP is not cool. Yeah, sure, it was a bug in his code but everybody's code has bugs. If SOAP had a real security layer this kind of thing would be much less likely.

    -sam
    • So where's his release?
      --
        ---ict / Spoon
      • Yeah, what are we paying him for anyway? Oh, wait, we're not paying him. He's volunteering his time to give us code for free.

        SOAP::Lite is free software. If you want a new release badly enough then you have every right to fork the module and release it yourself. However, impotent whining is not allowed.

        -sam

        • So I fork it, release it to CPAN - oh wait. Can't do that.

          C'mon: important security problem, you say he has a patch ready for the next release. It doesn't take that much effort to release, surely?

          When was "Last I heard"? Last week? Last month? Last year?
          --
            ---ict / Spoon

          • So I fork it, release it to CPAN - oh wait. Can't do that.

            I think you can.

            The way I understand it, you can't overwrite his module, but you can realease your own module under a different name, and in that distribution include a version of SOAP::Lite that has patches fixed.

            So I could upload a module called "MARKF::SOAP::Lite" and in that distribution also have a version of SOAP::Lite that I've fixed. Then from the CPAN.pm prompt when I said "install MARKF::SOAP::Lite" I'd get my version of SOAP::Lite a

            • well, since this version will run *fewer* methods (none outside the current package), perhaps it should be called SOAP::Lighter.

              When someone patches it to require the coder to register SOAP-accessible subs, it could be called SOAP::Lightest.

              eh?

              -matt

            • Re:Likewise named code on CPAN (Score:4, Interesting)

              by hfb (74) on 2002.04.10 14:59 (#6838) Homepage Journal

              Technically, you could do that but why be a buch of bastards? Any author can, at any time, upload any module as long as the distribution is not the exact same name as another. However, this is considered an act of assholery and at some point the module and possibly the author can and likely will be removed forcibly.

              Plan B would be to email the modules@cpan.org list and ask, politely, what they would advise as a course of action. This is a serious security flaw in a reasonably popular module so chances are good that, if Paul doesn't pitch up, something may be agreeably worked out.

              I wouldn't recommend doing the MARKF* solution as it's confusing to the end users and isn't the solution you ultimately want anyway.

              In short, don't shit in your messkit unless you are fully prepared to eat fecal casserole for dinner.

              • It's not a bad interim solution to such issues. You can delete your own stuff off of CPAN again, right?

                What you'd have to do is make sure that you're not going to overwrite the default install of a module. By this I mean that when someone types "install SOAP::Lite" they better not get your version by default - that would be really wrong and bad, and as hfb says right royally kicked off of the CPAN. Your fixed module should only be there for the people that know about it and need it by typing the right

          • You can upload yours as an experimental.
            I have a Net::Interface in my CPAN directoy,
            even though I am not the official developer.
            It appears to be abandonware and so I have
            made a few updates. People still manage
            to find and use it (probably more than my
            other things), and you could always *publicize*
            your version. It could then fade away gracefully
            when deprecated.

            I probably ought to look at snathcing Net::Interface, however I am not a C/XS
            programmer.
            --
            Were that I say, pancakes?
Stories, comments, journals, and other submissions on use Perl; are Copyright 1998-2006, their respective owners.