The short explanation: fcheck is a file integrity checker written in perl. It can send warnings to syslog via an external program such as logger(1). Because it calls system() with a scalar argument, a malicious user can cause it to execute programs by creating files with shell metacharacters in their names. Apply the attached patch to fix the problem and don't ever call system() with a scalar argument. The long explanation: fcheck is a file integrity checker written in perl. See http://securityfocus.com/templates/tools_search.html?query=fcheck&index=tools for a more detailed description and a download site. Version v.2.7.45 is vulnerable. Any older version which includes syslog logging is probably vulnerable as well. When called with the -l flag, fcheck sends warnings to syslog instead of stdout by calling a program defined in the fcheck configuration file. Unfortunately, the perl code looks like this: $cmd=sprintf("%s -t %s \"WARNING: File addition: [%s] %s [%s %s %s %s %s]\"\n", $Logger, $Me, $ThisHost, $Name, $Inode, &ShowPerms($Perms), $Size, &ctime($Time), $Name); system($cmd); Calling system() this way with a scalar argument rather than an array passes the contents of the variable to the system shell (e.g. /bin/sh -c), which interprets shell metacharacters. This isn't new, and it isn't a bug in perl. The behavior is well documented in the perlfunc man page. The impact is that if a malicious user can create files in a directory monitored by fcheck, and fcheck runs with the -l switch, the user can execute nearly arbitrary programs by using shell metacharacters in the filenames. Example: [matt@shai-hulud /home/public]$ touch 'blah`touch exploit`' [matt@shai-hulud /home/public]$ ls -l '/home/public/blah`touch exploit`' -rw-r--r-- 1 matt wheel 0 Mar 3 21:17 /home/public/blah`touch exploit` After running ./fcheck -asl as root from /usr/local/fcheck, I see this in /var/log/messages (note that the end of the filename is missing): Mar 4 03:24:22 shai-hulud fcheck: WARNING: File addition: [shai-hulud.telepath.com] /home/public/ [464662 -rw-r--r-- 0 Mar 04 03:18 2000 /home/public/blah] And here's the result of the command execution: -rw-r--r-- 1 root wheel 0 Mar 3 21:24 /usr/local/fcheck/exploit To resolve the problem, apply the attached patch, which alters the code like so: $warning=sprintf("\"WARNING: File addition: [%s] %s [%s %s %s %s %s]\"", $ThisHost, $Name, $Inode, &ShowPerms($Perms), $Size, &ctime($Time), $Name); system($Logger, "-t", $Me, $warning); I notified the author of the problem about a month ago, but after first insisting that double quotes disarm metacharacters and then that it's impossible to create a file with backticks in its name, he stopped responding to my emails. Go figure. OBRant: Ladies and gentlemen, there's a little lost puppy out there in the cold rain scratching on your back door, and the tag on its collar says "Security." Are we going to swat this puppy on the nose with the rolled up newspaper of bad programming habits? Or are we going to let it in, dry it off, feed it, and clean up the carpet when it craps all over the place? The decision is up to you, my friends, but I for one am heading to the store for some puppy chow and a pooperscooper. - Matt