OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
From: Samy Kamkar [CommPort5] (CommPort5LUCIDX.COM)
Date: Wed Feb 07 2001 - 00:53:27 CST

  • Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

    Advisory: Infobot 0.44.5.3 and below vulnerability [Hack-X]
    This version and versions from before were also released into the
    FreeBSD ports tree.
    Currently there is no patched version even though I emailed the author
    over a month ago about this and emailed the development list over a
    week, and them saying it would be fixed immidiately although still
    isn't. A patch follows below.

    Author: Samy Kamkar [CommPort5LucidX.com]
    Special thanks to zsvx for helping find this problem and testing it on
    multiple infobots.

    I. Background

    Infobot is an IRC bot written in perl for information retrieval and
    storage along with channel management and many other useful tasks.

    II. Problem Description

    Infobot has a 'fortran math' section that's used with the 'calc'
    command via IRC. If someone were to message (privately or in a
    channel) with 'calc 1+1' (assuming fortran math is enabled in the
    config file), the bot would return '2'. The problem is the way
    this function works. It uses open() to run `bc`, which does the
    actual math.
    The original code was
    open(P, "echo $parm|bc 2>&1 |");
    which allowed someone to use |'s to escape the echo and run anything
    through open(). Although, whitespaces are eliminated from user-input
    with fortran math so this eliminates a lot of possibilities.
    They soon fixed this bug with
    open(P, "echo '$parm'|bc 2>&1 |");
    This only opened up another hole. A user is now able to escape the
    echo by using single-quotes and semicolons, but they are stlil
    unable to use whitespaces. To get around the whitespaces, the user
    is able to use a local variable set in the terminal. $IFS is, by
    default on almost all systems, a newline character or whitespace.
    Either of these would work, so in code you would be able to replace
    a whitespace with $IFS.

    III. Impact

    Any malicious user would be able to run arbitrary files writable by
    the user running infobot. They would also be able to recieve
    information or write, since infobot automatically replies the data
    the open() sent. A user would be able to easily check the operating
    system and gain other information like so:
    calc ';uname$IFS"-a";'
    or in older versions:
    calc |uname$IFS"-a"|
    They would also be able to install arbitrary files and execute them.

    IV. Workaround

    Disable fortran math in the infobot configuration file and restart
    the infobot.

    V. Solution

    The best solution would be to parse out certain characters from the
    user's input. You can do this by adding a line to src/Math.pl in
    the infobot's main directory. You will see on line 40:
    $parm =~ s/\s//g;
    After this line, create a new line and insert this:
    $parm =~ s/[\|;']//g;
    Save the file (src/Math.pl) and restart infobot.

    --
    Samy Kamkar -- (877)-383-4980 -- CommPort5LucidX.com
    LucidX.com / pdump.org / LA.pm.org