Date: Tue, 6 Feb 2001 22:53:27 -0800 From: "samy [CommPort5]" <CommPort5@LUCIDX.COM> Subject: Infobot 0.44.5.3/below remotely vulnerable (also in FreeBSD ports To: BUGTRAQ@SECURITYFOCUS.COM Advisory: Infobot 0.44.5.3 and below vulnerability [Hack-X] This version and versions from before were also released into the FreeBSD ports tree. Currently there is no patched version even though I emailed the author over a month ago about this and emailed the development list over a week, and them saying it would be fixed immidiately although still isn't. A patch follows below. Author: samy [CommPort5@LucidX.com] Special thanks to zsvx for helping find this problem and testing it on multiple infobots. I. Background Infobot is an IRC bot written in perl for information retrieval and storage along with channel management and many other useful tasks. II. Problem Description Infobot has a 'fortran math' section that's used with the 'calc' command via IRC. If someone were to message (privately or in a channel) with 'calc 1+1' (assuming fortran math is enabled in the config file), the bot would return '2'. The problem is the way this function works. It uses open() to run `bc`, which does the actual math. The original code was open(P, "echo $parm|bc 2>&1 |"); which allowed someone to use |'s to escape the echo and run anything through open(). Although, whitespaces are eliminated from user-input with fortran math so this eliminates a lot of possibilities. They soon fixed this bug with open(P, "echo '$parm'|bc 2>&1 |"); This only opened up another hole. A user is now able to escape the echo by using single-quotes and semicolons, but they are stlil unable to use whitespaces. To get around the whitespaces, the user is able to use a local variable set in the terminal. $IFS is, by default on almost all systems, a newline character or whitespace. Either of these would work, so in code you would be able to replace a whitespace with $IFS. III. Impact Any malicious user would be able to run arbitrary files writable by the user running infobot. They would also be able to recieve information or write, since infobot automatically replies the data the open() sent. A user would be able to easily check the operating system and gain other information like so: calc ';uname$IFS"-a";' or in older versions: calc |uname$IFS"-a"| They would also be able to install arbitrary files and execute them. IV. Workaround Disable fortran math in the infobot configuration file and restart the infobot. V. Solution The best solution would be to parse out certain characters from the user's input. You can do this by adding a line to src/Math.pl in the infobot's main directory. You will see on line 40: $parm =~ s/\s//g; After this line, create a new line and insert this: $parm =~ s/[\|;']//g; Save the file (src/Math.pl) and restart infobot. -- samy -- (877) 898-1424 -- CommPort5@LucidX.com LucidX.com / pdump.org / LA.pm.org