Resending with the right email for andk, blame mst for that. On Mon, Jul 27, 2020 at 7:07 PM Ryan Voots <simcop2...@simcop2387.info> wrote:
> Not found by me but I'm not sure if anyone else has reported this yet. It > was discussed in magnet#toolchain earlier today and brought forth by mst on > who to contact about it. > > It looks like Module::AutoLoad is running malicious code fetched from > http://r.cx/, it might have originally been non-malicious but it appears > to either be some kind of rootkit or iphone jailbreak or something > currently. > > The trigger itself seems to be this test running: > https://metacpan.org/source/BBB/Module-AutoLoad-0.06/t/05_rcx.t > > This appears to have been known about for a few years by some people but > it's the first I'm seeing about it: > https://stackoverflow.com/questions/35212843/perl-understanding-botstrap > > Below is the entire conversation from IRC about the discovery > > > adsf > 18:17:47 < haarg> regarding potentially malicious code on cpan > 18:17:49 < haarg> > https://metacpan.org/source/BBB/Module-AutoLoad-0.06/t/05_rcx.t > 18:18:40 < Grinnz> oh god > 18:19:02 < haarg> let me know if you figure out what it does > 18:19:17 < Grinnz> i've figured out enough to wonder what the fuck this is > doing here > 18:19:32 < ether> what it *wants* to do is take the location of the > current .t file, go up one dir and find contrib/RCX.pl and then run that > script > 18:19:32 < haarg> it's like 5 steps of insanity, most of which involve > evaling code read straight off a random internet server > 18:19:45 < haarg> yeah, now look at that script > 18:19:47 < Grinnz> ether: yeah that script is where the scary part starts > 18:20:26 * ether ಠ_ಠ > 18:20:27 < Grinnz> also: 82.46.99.88.":1" > 18:20:43 < Grinnz> ... this is concatenating a vstring with a string > 18:20:48 < Grinnz> how would that ever work > 18:21:14 < ether> I wonder what used to be at 82.46.99.88 > 18:22:09 < haarg> https://perlbot.pl/p/1133d2 > 18:22:29 < ether> he's up front about it being black magic in the docs > 18:22:35 < ether> but this shit should have never been put on cpan > 18:22:55 < Grinnz> "botstrap" is also cute > 18:23:03 < haarg> it's not just "black magic" it's "active remote exploit" > 18:23:52 < Grinnz> mst / klapperl ^ > 18:24:06 < haarg> this is the eval: https://perlbot.pl/p/ui358q > 18:24:12 < veesh> wow, that is not acceptable > 18:24:17 < haarg> the unpack i mean > 18:25:24 < haarg> next step: https://perlbot.pl/p/o1lk67 > 18:26:15 < haarg> next step: https://perlbot.pl/p/gkoxmt > 18:26:52 < Grinnz> fyi that has been there since the first release of that > dist in 2011 > 18:27:10 < Grinnz> though with different ips > 18:30:03 < ether> 82.46.99.88.":1" = R.cX:1 > 18:30:11 < Grinnz> oh dear god > 18:30:22 < Grinnz> so it's a vstring and not an ip at all > 18:30:23 < ether> what does IO::Socket::INET do with that? is :1 a port > number? > 18:30:26 < Grinnz> yes > 18:30:49 < ether> I missed haarg's first paste, > https://perlbot.pl/p/1133d2 - that makes it more clear :) > 18:30:56 < ether> jfc > 18:31:08 < ether> burn it with fire > 18:31:29 < haarg> i haven't traced the next step because it's pain to > decode without running the whole thing > 18:33:07 < veesh> > https://stackoverflow.com/questions/35212843/perl-understanding-botstrap > 18:35:21 < ether> I wonder if those guys ever did report this to > modules@perl.org > 18:35:25 < ether> narrator: they did not. > 18:36:12 < ether> I don't see how r.cx could have been hacked and these > eval chains still work > 18:36:17 < ether> therefore, this was all intentional > 18:36:29 < ether> burn it all down and bury this guy at sea > 18:36:42 < ether> mst: would you agree? > 18:38:44 < veesh> i just noticed now that the OP on the SO question was > asking how to port the code to python > 18:39:00 < veesh> i'm glad that all those people left perl 20 years ago > 18:43:10 * Grinnz commented on the SO answer with some non-malicious > solutions to this problem > 18:44:59 * ether flagged for moderator attention to get it taken down > 18:45:56 < haarg> i'm not having any luck tracing what the code does > further than what i posted so far > 18:46:07 < haarg> i need a VM or something > 18:30:56 < ether> jfc > 18:31:08 < ether> burn it with fire > 18:31:29 < haarg> i haven't traced the next step because it's pain to > decode without running the whole thing > 18:33:07 < veesh> > https://stackoverflow.com/questions/35212843/perl-understanding-botstrap > 18:35:21 < ether> I wonder if those guys ever did report this to > modules@perl.org > 18:35:25 < ether> narrator: they did not. > 18:36:12 < ether> I don't see how r.cx could have been hacked and these > eval chains still work > 18:36:17 < ether> therefore, this was all intentional > 18:36:29 < ether> burn it all down and bury this guy at sea > 18:36:42 < ether> mst: would you agree? > 18:38:44 < veesh> i just noticed now that the OP on the SO question was > asking how to port the code to python > 18:39:00 < veesh> i'm glad that all those people left perl 20 years ago > 18:43:10 * Grinnz commented on the SO answer with some non-malicious > solutions to this problem > 18:44:59 * ether flagged for moderator attention to get it taken down > 18:45:56 < haarg> i'm not having any luck tracing what the code does > further than what i posted so far > 18:46:07 < haarg> i need a VM or something > 18:47:11 < veesh> docker sounds like a good choice? > 18:47:20 < Grinnz> sounds like a job for simcop2387 > 18:57:15 < ether> I tried searching for those tags - SHAtter GreenPois0n > @GeoHot - but got lost in a spiral of l33tsp33k and had to lie down > 19:03:01 -!- Pali [~p...@ip-89-102-255-175.net.upcbroadband.cz] has quit > [Ping timeout: 360 seconds] > 19:03:15 -!- brunoramos_ [~brunoramo@94.252.122.216] has joined #toolchain > 19:05:55 -!- brunoramos [~brunoramo@94.252.122.22] has quit [Ping > timeout: 360 seconds] > 19:05:55 -!- brunoramos_ is now known as brunoramos > 19:35:45 < Grinnz> > http://neilb.org/2020/07/24/inconsistent-permissions.html - looks like > the usual use of AUTHORITY is done by default now, neat > 19:35:46 < dipsy> [ Inconsistent permissions on CPAN modules ] > 19:35:49 < simcop2387> Grinnz: haarg: hrm? > 19:36:20 < Grinnz> simcop2387: attempting to figure out what some > malicious code does > 19:36:58 < simcop2387> oh fun, yea the pastebin is hopefully nice for > that, but it's one reason why i refuse to do a full cpan test run until i > get a proper sandbox for it setup > 19:38:30 < simcop2387> it looks almost like the EFI stuff in modern UEFI > systems? like it's trying to load something into the vars there? > 19:38:48 < simcop2387> or maybe it's just pretending to do so > 19:39:34 < stigo> seems like a distraction to me, GreenPois0n pops up an > old ios jailbrak for instance. > 19:40:16 < simcop2387> yea after reading the rest of the links it looks > like it's loading an iphone jail break of some kind. possibly to infect > any attached devices > 19:40:32 < Grinnz> it seems to me like the guy typed in "how to rootkit > for noobs" in google and attached his code to that > 19:40:47 < simcop2387> maybe > 19:43:29 < stigo> almost like a ctf, interesting that r.cx:1 doesn't > close the socket after delivering the first code part. > 19:52:57 < stigo> some of r.cx's zone file: https://tpaste.us/ql09 > 20:17:25 < stigo> aha, this seems to be the tool used: > http://www.perlobfuscator.com > 20:17:26 < dipsy> [ Free Perl Obfuscator ] > 20:23:20 < Grinnz> oh god > 20:24:27 -!- haj [~thunde...@ip5f5ac614.dynamic.kabel-deutschland.de] has > quit [Quit: haj] > 20:27:21 < mohawk> at the bottom it offers a de-obfuscator > 20:43:55 < simcop2387> stigo++ > 21:40:17 < mst> yeah, somebody email mod...@perl.org, klapp...@cpan.org > please > 21:41:13 < simcop2387> if no one has done it yet, i'll do it shortly. > 21:41:20 < mst> cheers > 21:41:31 < simcop2387> i need to do some dishes and hand feed the cat > first though > 21:41:34 < mst> up to eyeballs in something else, would prefer somebody > who was paying attention to do so > 21:41:40 < mst> aye, fair >
