fcheck v.2.7.45 and insecure use of Perl's system()

[matt () TELEPATH COM (Matt Carothers)]

The short explanation:

fcheck is a file integrity checker written in perl.  It can send
warnings to syslog via an external program such as logger(1).  Because
it calls system() with a scalar argument, a malicious user can cause it
to execute programs by creating files with shell metacharacters in their
names.  Apply the attached patch to fix the problem and don't ever call
system() with a scalar argument.

The long explanation:

fcheck is a file integrity checker written in perl.  See
http://securityfocus.com/templates/tools_search.html?query=fcheck&index=tools
for a more detailed description and a download site.

Version v.2.7.45 is vulnerable.  Any older version which includes syslog
logging is probably vulnerable as well.

When called with the -l flag, fcheck sends warnings to syslog instead of
stdout by calling a program defined in the fcheck configuration file.
Unfortunately, the perl code looks like this:

        $cmd=sprintf("%s -t %s \"WARNING: File addition: [%s] %s  [%s  %s %s  %s  %s]\"\n",
                $Logger, $Me, $ThisHost, $Name, $Inode, &ShowPerms($Perms),
                $Size, &ctime($Time), $Name);
        system($cmd);

Calling system() this way with a scalar argument rather than an array
passes the contents of the variable to the system shell (e.g. /bin/sh -c),
which interprets shell metacharacters.  This isn't new, and it isn't a
bug in perl.  The behavior is well documented in the perlfunc man page.

The impact is that if a malicious user can create files in a directory
monitored by fcheck, and fcheck runs with the -l switch, the user can
execute nearly arbitrary programs by using shell metacharacters in the
filenames.

Example:

[matt@shai-hulud /home/public]$ touch 'blah`touch exploit`'
[matt@shai-hulud /home/public]$ ls -l '/home/public/blah`touch exploit`'
-rw-r--r--  1 matt  wheel  0 Mar  3 21:17 /home/public/blah`touch exploit`

After running ./fcheck -asl as root from /usr/local/fcheck, I see this in
/var/log/messages (note that the end of the filename is missing):

Mar  4 03:24:22 shai-hulud fcheck: WARNING: File addition: [shai-hulud.telepath.com] /home/public/  [464662  -rw-r--r-- 
 0  Mar 04 03:18 2000  /home/public/blah]

And here's the result of the command execution:

-rw-r--r--  1 root  wheel  0 Mar  3 21:24 /usr/local/fcheck/exploit

To resolve the problem, apply the attached patch, which alters the code
like so:

        $warning=sprintf("\"WARNING: File addition: [%s] %s  [%s  %s  %s  %s %s]\"",
                $ThisHost, $Name, $Inode, &ShowPerms($Perms), $Size,
                &ctime($Time), $Name);
        system($Logger, "-t", $Me, $warning);

I notified the author of the problem about a month ago, but after first
insisting that double quotes disarm metacharacters and then that it's
impossible to create a file with backticks in its name, he stopped
responding to my emails.  Go figure.

OBRant:

Ladies and gentlemen, there's a little lost puppy out there in the cold
rain scratching on your back door, and the tag on its collar says "Security."
Are we going to swat this puppy on the nose with the rolled up newspaper of
bad programming habits?  Or are we going to let it in, dry it off, feed it,
and clean up the carpet when it craps all over the place?  The decision is
up to you, my friends, but I for one am heading to the store for some puppy
chow and a pooperscooper.

- Matt

<HR NOSHADE>
<UL>
<LI>TEXT/PLAIN attachment: fcheck.patch
</UL>