use Perl | Serious SOAP::Lite Security Hole Discovered

			search use Perl

Serious SOAP::Lite Security Hole Discovered

posted by ziggy on 2002.04.08 19:00

IlyaM writes "About four months ago there was Phrack article named RPC without borders which describes quite serious security hole in SOAP::Lite module. In short, SOAP::Lite allows to call any Perl subroutine on side of SOAP::Lite based server. Strangely enough it has gone mostly unnoticed and it hasn't been fixed. I've tried to research it further and wrote a simple exploit which instantly gives remote shell access to computer which runs a SOAP::Lite based server. It took me less than two hours to write this exploit. So assuming that security hole in SOAP::Lite have been known for a very long time, there is no reason to think that nobody else (i.e. blackhats) haven't done it."

This is a big one, and relates to how SOAP::Lite dispatches method calls at runtime, and how Perl executes dynamic method calls. The very best thing you can do is take down your SOAP servers until an update is available.

use Perl Login

[ Create a new account ]

Related Links

Serious SOAP::Lite Security Hole Discovered | Log in/Create an Account | Top | 20 comments | Search Discussion

The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.

Calling all programmers. (Score:4, Insightful)

by cwest (1514) on 2002.04.08 19:54 (#6775)
( http://caseywest.com/ | Last Journal: 2003.12.10 16:15 )

I would like to urge anyone with a few spare tuits to get get on the soap-lite [perl.org] mailing list, download a copy of the latest sources [soaplite.com] and have a crack at this thing. SOAP and SOAP::Lite are both very popular and used by many people and Companies. Paul has done lots and lots of great work by providing us with SOAP::Lite, lets give him some help as a community. Thanks to the wonders of wireless, I'm downloading the source from the "throne" right now. I urge you all to do the same.
Casey West

[ Reply to This ]

Re:Calling all programmers. by barryp (Score:2) 2002.04.09 3:34

XMLRPC::Lite, possibly Frontier::RPC (Score:3, Informative)

by rjray (1649) on 2002.04.09 2:07 (#6779)
( http://www.rjray.org/ | Last Journal: 2003.09.16 17:57 )

Part of the reason I wrote my RPC::XML at all was because I wasn't comfortable with the way that Frontier::RPC published functions simply by "redirecting" calls to a specified package name-space. I don't know that it would be vulnerable, but I suspect it probably is. I was also bothered by this aspect of SOAP::Lite when I started using it as well, but I lacked the bandwidth to try and roll my own on that count. I feel pretty certain (though not 100%) that the server classes in RPC::XML are not vulnerable to this. I don't route incoming calls to an arbitrary namespace, I use a method-table. If you don't have an engraved invitation, you don't get to dance.

So I'm doing the next best thing... joined up on the soaplite mailing list, am printing out the phrack article, and have in hand a sample exploit script Ilya was kind enough to send me. Looking forward to comparing notes with you guys tomorrow...

--rjray

[ Reply to This ]

Re:XMLRPC::Lite, possibly Frontier::RPC by rjray (Score:2) 2002.04.09 13:55

Patch (Score:3, Insightful)

by IlyaM (2933) <ilya@martynov.org> on 2002.04.09 13:37 (#6793)
( http://martynov.org/ | Last Journal: 2003.12.01 10:30 )

I've posted patch [yahoo.com] on soaplist maillist which should fix worst problem with SOAP::Lite. That is ability to call any Perl subrotine using fully qualified package names.

--
Ilya Martynov (http://martynov.org/ [martynov.org])

[ Reply to This ]

SOAP::Lite (Score:2, Interesting)

by TorgoX (1933) <sburkeNO@SPAMcpan.org> on 2002.04.09 21:50 (#6806)
( http://search.cpan.org/~sburke/ | Last Journal: 2003.12.10 5:04 )

Everyone makes mistakes, but I'm astonished at Kulchenko (the SOAP::Lite author) for letting this one happen. It's appalling!

NOTE TO SELF: When a user (especially an untrusted one!) gives you data that you expect to be in a particular format, CHECK THAT IT IS IN THAT FORMAT, FOR CHRISSAKES!

This whole thing would have been avoided if anyone had had, earlier on, the wits to do what Ilya M did, basically die "BAD JUJU" unless m/\A[a-zA-Z][a-zA-Z_0-9]*\z/

I say that unless Kulchenko shows up and immediately releases a fix version (MONTHS after this was mentioned in Phrack), he doesn't get to own that module in CPAN anymore, and ownership gets transferred immediately to someone else, so it can be patched RIGHT NOW! Letting this error get in was incompetence but letting it persist is deliberate negligence.

[ Reply to This ]

Re:SOAP::Lite (Score:4, Insightful)

by jesse (2531) on 2002.04.09 23:55 (#6808)
( Last Journal: 2003.07.03 16:44 )

Of course that leads into the discussion about how CPAN is a relative anarchy. SOAP::Lite is a namespace that pavel has registered and "owns". I've never seen anything that says there's a requirement that you have to maintain your code well to get a namespace registraion and upload it to CPAN. Personally, I'd love to see a tiered structure, as has been previously proposes, with "standard" modules that are maintained and managed as a standard library, "optional" modules with a refereed namespace and some level of QA and then the third tier free for all, which we all know and love. But yeah, we need a more general way for dealing with major security holes in popular modules.

[ Reply to This | Parent ]

Re:SOAP::Lite by jjohn (Score:1) 2002.04.10 10:34

Re:SOAP::Lite (Score:4, Informative)

by paulclinger (1709) on 2002.04.10 20:29 (#6850)

> but I'm astonished at Kulchenko (the SOAP::Lite author) for letting this one happen.
I'm with you. I'm also astonished to find that it happened.

> CHECK THAT IT IS IN THAT FORMAT, FOR CHRISSAKES!
It's expected to be in that format. The reason for the problem is that method name wasn't verified against list of allowed methods when *class name is on the list of allowed classes*.

> MONTHS after this was mentioned in Phrack
Do you read Phrack daily? I don't read it at all. Randall brought it to my attention some time ago, and I was surprised to find later that it was discussed on perlmonks and nobody told me about that discussion. Unfortunaty with my schedule I'm only an occasional reader of use.perl, perlmonks and other perl sites.

> and ownership gets transferred immediately to someone else
Even though there is no such procedure, I wouldn't mind to know more about the person who would like to take this ownership.

I'm not trying to downplay the issue. It's my fault. In addition to that, it's probably the worse time for releasing a new version: I'm moving and have all my computers packed and shipped. I do have copies and repository with me, however I don't have my testing environment and only sporadic online access in my hotel. Still I plan to release bugfix by the next week. If you don't think it's reasonable, let me know.

Best wishes, Paul.

[ Reply to This | Parent ]

This is news? (Score:3, Insightful)

by samtregar (2699) on 2002.04.09 23:50 (#6807)
( http://sam.tregar.com/ | Last Journal: 2003.11.13 18:10 )

Last I heard Paul had a patch ready to go for the next release.

And while I'm posting mad, anyone that thought it was secure to run a public SOAP service on the Internet should get off the pipe. Villifying Paul for the total lack of security in SOAP is not cool. Yeah, sure, it was a bug in his code but everybody's code has bugs. If SOAP had a real security layer this kind of thing would be much less likely.

-sam

[ Reply to This ]

Re:This is news? by koschei (Score:1) 2002.04.10 0:24
Re:This is news? by samtregar (Score:3) 2002.04.10 1:29
Re:This is news? by koschei (Score:1) 2002.04.10 1:39
Likewise named code on CPAN by 2shortplanks (Score:2) 2002.04.10 4:09
Re:Likewise named code on CPAN by wickline (Score:2) 2002.04.10 6:31
Re:Likewise named code on CPAN by koschei (Score:2) 2002.04.10 8:48
Re:Likewise named code on CPAN by hfb (Score:2) 2002.04.10 13:52

Re:Likewise named code on CPAN (Score:4, Interesting)

by hfb (74) on 2002.04.10 13:59 (#6838)
( Last Journal: 2002.02.25 16:47 )

Technically, you could do that but why be a buch of bastards? Any author can, at any time, upload any module as long as the distribution is not the exact same name as another. However, this is considered an act of assholery and at some point the module and possibly the author can and likely will be removed forcibly.

Plan B would be to email the modules@cpan.org list and ask, politely, what they would advise as a course of action. This is a serious security flaw in a reasonably popular module so chances are good that, if Paul doesn't pitch up, something may be agreeably worked out.

I wouldn't recommend doing the MARKF* solution as it's confusing to the end users and isn't the solution you ultimately want anyway.

In short, don't shit in your messkit unless you are fully prepared to eat fecal casserole for dinner.

[ Reply to This | Parent ]

Re:Likewise named code on CPAN by 2shortplanks (Score:2) 2002.04.11 4:05
Re:This is news? by belg4mit (Score:2) 2002.04.11 11:40

There are features that should not be used. There are concepts that should not be exploited. There are problems that should not be solved. There are programs that should not be written. --Richard Harter, <rh@smds.com>