develooper Front page | perl.modules | Postings from July 2020

Re: Malicious module on CPAN

Thread Previous | Thread Next
From:
Ryan Voots
Date:
July 28, 2020 03:53
Subject:
Re: Malicious module on CPAN
Message ID:
CA+sVJXk59WQg=Mj7QsNYiy_XiTjzOycmvfNgtOpfTEP=1AUCCw@mail.gmail.com
Resending with the right email for andk, blame mst for that.

On Mon, Jul 27, 2020 at 7:07 PM Ryan Voots <simcop2387@simcop2387.info>
wrote:

> Not found by me but I'm not sure if anyone else has reported this yet.  It
> was discussed in magnet#toolchain earlier today and brought forth by mst on
> who to contact about it.
>
> It looks like Module::AutoLoad is running malicious code fetched from
> http://r.cx/, it might have originally been non-malicious but it appears
> to either be some kind of rootkit or iphone jailbreak or something
> currently.
>
> The trigger itself seems to be this test running:
> https://metacpan.org/source/BBB/Module-AutoLoad-0.06/t/05_rcx.t
>
> This appears to have been known about for a few years by some people but
> it's the first I'm seeing about it:
> https://stackoverflow.com/questions/35212843/perl-understanding-botstrap
>
> Below is the entire conversation from IRC about the discovery
>
>
> adsf
> 18:17:47 < haarg> regarding potentially malicious code on cpan
> 18:17:49 < haarg>
> https://metacpan.org/source/BBB/Module-AutoLoad-0.06/t/05_rcx.t
> 18:18:40 < Grinnz> oh god
> 18:19:02 < haarg> let me know if you figure out what it does
> 18:19:17 < Grinnz> i've figured out enough to wonder what the fuck this is
> doing here
> 18:19:32 < ether> what it *wants* to do is take the location of the
> current .t file, go up one dir and find contrib/RCX.pl and then run that
> script
> 18:19:32 < haarg> it's like 5 steps of insanity, most of which involve
> evaling code read straight off a random internet server
> 18:19:45 < haarg> yeah, now look at that script
> 18:19:47 < Grinnz> ether: yeah that script is where the scary part starts
> 18:20:26  * ether ಠ_ಠ
> 18:20:27 < Grinnz> also: 82.46.99.88.":1"
> 18:20:43 < Grinnz> ... this is concatenating a vstring with a string
> 18:20:48 < Grinnz> how would that ever work
> 18:21:14 < ether> I wonder what used to be at 82.46.99.88
> 18:22:09 < haarg> https://perlbot.pl/p/1133d2
> 18:22:29 < ether> he's up front about it being black magic in the docs
> 18:22:35 < ether> but this shit should have never been put on cpan
> 18:22:55 < Grinnz> "botstrap" is also cute
> 18:23:03 < haarg> it's not just "black magic" it's "active remote exploit"
> 18:23:52 < Grinnz> mst / klapperl ^
> 18:24:06 < haarg> this is the eval: https://perlbot.pl/p/ui358q
> 18:24:12 < veesh> wow, that is not acceptable
> 18:24:17 < haarg> the unpack i mean
> 18:25:24 < haarg> next step: https://perlbot.pl/p/o1lk67
> 18:26:15 < haarg> next step: https://perlbot.pl/p/gkoxmt
> 18:26:52 < Grinnz> fyi that has been there since the first release of that
> dist in 2011
> 18:27:10 < Grinnz> though with different ips
> 18:30:03 < ether> 82.46.99.88.":1" = R.cX:1
> 18:30:11 < Grinnz> oh dear god
> 18:30:22 < Grinnz> so it's a vstring and not an ip at all
> 18:30:23 < ether> what does IO::Socket::INET do with that? is :1 a port
> number?
> 18:30:26 < Grinnz> yes
> 18:30:49 < ether> I missed haarg's first paste,
> https://perlbot.pl/p/1133d2 - that makes it more clear :)
> 18:30:56 < ether> jfc
> 18:31:08 < ether> burn it with fire
> 18:31:29 < haarg> i haven't traced the next step because it's pain to
> decode without running the whole thing
> 18:33:07 < veesh>
> https://stackoverflow.com/questions/35212843/perl-understanding-botstrap
> 18:35:21 < ether> I wonder if those guys ever did report this to
> modules@perl.org
> 18:35:25 < ether> narrator: they did not.
> 18:36:12 < ether> I don't see how r.cx could have been hacked and these
> eval chains still work
> 18:36:17 < ether> therefore, this was all intentional
> 18:36:29 < ether> burn it all down and bury this guy at sea
> 18:36:42 < ether> mst: would you agree?
> 18:38:44 < veesh> i just noticed now that the OP on the SO question was
> asking how to port the code to python
> 18:39:00 < veesh> i'm glad that all those people left perl 20 years ago
> 18:43:10  * Grinnz commented on the SO answer with some non-malicious
> solutions to this problem
> 18:44:59  * ether flagged for moderator attention to get it taken down
> 18:45:56 < haarg> i'm not having any luck tracing what the code does
> further than what i posted so far
> 18:46:07 < haarg> i need a VM or something
> 18:30:56 < ether> jfc
> 18:31:08 < ether> burn it with fire
> 18:31:29 < haarg> i haven't traced the next step because it's pain to
> decode without running the whole thing
> 18:33:07 < veesh>
> https://stackoverflow.com/questions/35212843/perl-understanding-botstrap
> 18:35:21 < ether> I wonder if those guys ever did report this to
> modules@perl.org
> 18:35:25 < ether> narrator: they did not.
> 18:36:12 < ether> I don't see how r.cx could have been hacked and these
> eval chains still work
> 18:36:17 < ether> therefore, this was all intentional
> 18:36:29 < ether> burn it all down and bury this guy at sea
> 18:36:42 < ether> mst: would you agree?
> 18:38:44 < veesh> i just noticed now that the OP on the SO question was
> asking how to port the code to python
> 18:39:00 < veesh> i'm glad that all those people left perl 20 years ago
> 18:43:10  * Grinnz commented on the SO answer with some non-malicious
> solutions to this problem
> 18:44:59  * ether flagged for moderator attention to get it taken down
> 18:45:56 < haarg> i'm not having any luck tracing what the code does
> further than what i posted so far
> 18:46:07 < haarg> i need a VM or something
> 18:47:11 < veesh> docker sounds like a good choice?
> 18:47:20 < Grinnz> sounds like a job for simcop2387
> 18:57:15 < ether> I tried searching for those tags - SHAtter GreenPois0n
> @GeoHot - but got lost in a spiral of l33tsp33k and had to lie down
> 19:03:01 -!- Pali [~pali@ip-89-102-255-175.net.upcbroadband.cz] has quit
> [Ping timeout: 360 seconds]
> 19:03:15 -!- brunoramos_ [~brunoramo@94.252.122.216] has joined #toolchain
> 19:05:55 -!- brunoramos [~brunoramo@94.252.122.22] has quit [Ping
> timeout: 360 seconds]
> 19:05:55 -!- brunoramos_ is now known as brunoramos
> 19:35:45 < Grinnz>
> http://neilb.org/2020/07/24/inconsistent-permissions.html - looks like
> the usual use of AUTHORITY is done by default now, neat
> 19:35:46 < dipsy> [ Inconsistent permissions on CPAN modules ]
> 19:35:49 < simcop2387> Grinnz: haarg: hrm?
> 19:36:20 < Grinnz> simcop2387: attempting to figure out what some
> malicious code does
> 19:36:58 < simcop2387> oh fun, yea the pastebin is hopefully nice for
> that, but it's one reason why i refuse to do a full cpan test run until i
> get a proper sandbox for it setup
> 19:38:30 < simcop2387> it looks almost like the EFI stuff in modern UEFI
> systems? like it's trying to load something into the vars there?
> 19:38:48 < simcop2387> or maybe it's just pretending to do so
> 19:39:34 < stigo> seems like a distraction to me, GreenPois0n pops up an
> old ios jailbrak for instance.
> 19:40:16 < simcop2387> yea after reading the rest of the links it looks
> like it's loading an iphone jail break of some kind.  possibly to infect
> any attached devices
> 19:40:32 < Grinnz> it seems to me like the guy typed in "how to rootkit
> for noobs" in google and attached his code to that
> 19:40:47 < simcop2387> maybe
> 19:43:29 < stigo> almost like a ctf, interesting that r.cx:1 doesn't
> close the socket after delivering the first code part.
> 19:52:57 < stigo> some of r.cx's zone file: https://tpaste.us/ql09
> 20:17:25 < stigo> aha, this seems to be the tool used:
> http://www.perlobfuscator.com
> 20:17:26 < dipsy> [ Free Perl Obfuscator ]
> 20:23:20 < Grinnz> oh god
> 20:24:27 -!- haj [~Thunderbi@ip5f5ac614.dynamic.kabel-deutschland.de] has
> quit [Quit: haj]
> 20:27:21 < mohawk> at the bottom it offers a de-obfuscator
> 20:43:55 < simcop2387> stigo++
> 21:40:17 < mst> yeah, somebody email module@perl.org, klapperl@cpan.org
> please
> 21:41:13 < simcop2387> if no one has done it yet, i'll do it shortly.
> 21:41:20 < mst> cheers
> 21:41:31 < simcop2387> i need to do some dishes and hand feed the cat
> first though
> 21:41:34 < mst> up to eyeballs in something else, would prefer somebody
> who was paying attention to do so
> 21:41:40 < mst> aye, fair
>

Thread Previous | Thread Next


nntp.perl.org: Perl Programming lists via nntp and http.
Comments to Ask Bjørn Hansen at ask@perl.org | Group listing | About