Fcheck Security Utility May Execute Arbitrary Commands Supplied By Local Users
SecurityTracker Alert ID: 1001140|
SecurityTracker URL: http://securitytracker.com/id/1001140
(Links to External Site)
Date: Mar 22 2001
Execution of arbitrary code via local system|
Exploit Included: Yes |
Version(s): probably all versions prior to 2.07.59|
Local users can cause fcheck to execute arbitrary code. Fcheck is a freeware intrusion detection, policy enforcement, and auditing software package written in perl.|
A local user can place a carefully crafted filename in a directory checked by fcheck that will cause commands to be executed with the privileges of the user running fcheck.
An open() statement is used with the '|' character causing some of the filename string to be interpolated, then sent to a command interpreter (a shell, such as sh, csh or bash) for execution.
The affected code is described in detail in the source message.
A local user can cause fcheck to execute commands with the privileges of the user running fcheck.|
No solution was available at the time of this entry. The author of the source message makes some recommendations (see the source message).|
Vendor URL: www.geocities.com/fcheck2000/ (Links to External Site)
Input validation error|
|Underlying OS: Linux (Any), UNIX (Any), Windows (Any)|
Source Message Contents
Subject: fcheck prior to 2.07.59 - vulnerability - improper use of perl|
VULNERABLE: Probably all versions prior to 2.07.59 - the author of fcheck
can't be bothered to note security fixes in his change log, but most
likely all prior versions had this vulnerability.
Vulnerability: by placing a carefully crafted filename in a directory
checked by vulnerable versions of fcheck, commands caan be executed with
the rights of the user running fcheck.
fcheck is a "poor man's tripwire" - it is a file integrity checker written
To accomplish some functions, it uses external programs, such as md5,
md5sum and/or file.
These are accessed by issuing something on the order of:
open(IN, "$program_name '$filename' |");
$filesig = <IN>;
rest of the string to be interpolated, then sent to a command interpreter
(a shell, such as sh, csh or bash) for execution, with its output coupled
to the filehandle IN.
In the program under consideration, $program_name is under the control of
the person who configured fcheck (presumably root) but $filename can be the
name of any file placed into any directory which fcheck is instructed to
If one goes to a directory checked by fcheck and issues:
echo "test" >exploit\'\;\`touch\ blah\`\'
as written (this was tested on linux running bash), then runs fcheck, you
will find that the file named blah has been created because the command
'touch blah' contained in the filename created above was executed. (Using
the echo, rather than just touch'ing the file is needed because fcheck
doesn't run the signatures on zero length files.)
So if this run by root, but checks files/directories writable by other than
root, using the -s switch or checking files which cause the external
$Filefunc command to be used, a problem exists.
The workaround, implmented in good version(s), is to do the following:
therefore the interpretation of the metacharacters.