exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

Infobot-0.44.5.3.txt

Infobot-0.44.5.3.txt
Posted Feb 12, 2001
Authored by Samy Kamkar | Site pdump.org

Infobot v0.44.5.3 and below contains vulnerabilities which allow remote users to execute commands due to an insecure open call.

tags | exploit, remote, vulnerability
SHA-256 | 9e668c912d9b544d8575c377bcbc9d85a1e5518c52ad1d6000d9621425787cad

Infobot-0.44.5.3.txt

Change Mirror Download
Advisory: Infobot 0.44.5.3 and below vulnerability [Hack-X]
This version and versions from before were also released into the
FreeBSD ports tree.
Currently there is no patched version even though I emailed the author
over a month ago about this and emailed the development list over a
week, and them saying it would be fixed immidiately although still
isn't. A patch follows below.

Author: Samy Kamkar [CommPort5@LucidX.com]
Special thanks to zsvx for helping find this problem and testing it on
multiple infobots.

I. Background

Infobot is an IRC bot written in perl for information retrieval and
storage along with channel management and many other useful tasks.

II. Problem Description

Infobot has a 'fortran math' section that's used with the 'calc'
command via IRC. If someone were to message (privately or in a
channel) with 'calc 1+1' (assuming fortran math is enabled in the
config file), the bot would return '2'. The problem is the way
this function works. It uses open() to run `bc`, which does the
actual math.
The original code was
open(P, "echo $parm|bc 2>&1 |");
which allowed someone to use |'s to escape the echo and run anything
through open(). Although, whitespaces are eliminated from user-input
with fortran math so this eliminates a lot of possibilities.
They soon fixed this bug with
open(P, "echo '$parm'|bc 2>&1 |");
This only opened up another hole. A user is now able to escape the
echo by using single-quotes and semicolons, but they are stlil
unable to use whitespaces. To get around the whitespaces, the user
is able to use a local variable set in the terminal. $IFS is, by
default on almost all systems, a newline character or whitespace.
Either of these would work, so in code you would be able to replace
a whitespace with $IFS.

III. Impact

Any malicious user would be able to run arbitrary files writable by
the user running infobot. They would also be able to recieve
information or write, since infobot automatically replies the data
the open() sent. A user would be able to easily check the operating
system and gain other information like so:
calc ';uname$IFS"-a";'
or in older versions:
calc |uname$IFS"-a"|
They would also be able to install arbitrary files and execute them.

IV. Workaround

Disable fortran math in the infobot configuration file and restart
the infobot.

V. Solution

The best solution would be to parse out certain characters from the
user's input. You can do this by adding a line to src/Math.pl in
the infobot's main directory. You will see on line 40:
$parm =~ s/\s//g;
After this line, create a new line and insert this:
$parm =~ s/[\|;']//g;
Save the file (src/Math.pl) and restart infobot.

--
Samy Kamkar -- (877)-383-4980 -- CommPort5@LucidX.com
LucidX.com / pdump.org / LA.pm.org


Login or Register to add favorites

File Archive:

November 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Nov 1st
    30 Files
  • 2
    Nov 2nd
    0 Files
  • 3
    Nov 3rd
    0 Files
  • 4
    Nov 4th
    12 Files
  • 5
    Nov 5th
    44 Files
  • 6
    Nov 6th
    18 Files
  • 7
    Nov 7th
    9 Files
  • 8
    Nov 8th
    8 Files
  • 9
    Nov 9th
    3 Files
  • 10
    Nov 10th
    0 Files
  • 11
    Nov 11th
    14 Files
  • 12
    Nov 12th
    20 Files
  • 13
    Nov 13th
    69 Files
  • 14
    Nov 14th
    0 Files
  • 15
    Nov 15th
    0 Files
  • 16
    Nov 16th
    0 Files
  • 17
    Nov 17th
    0 Files
  • 18
    Nov 18th
    0 Files
  • 19
    Nov 19th
    0 Files
  • 20
    Nov 20th
    0 Files
  • 21
    Nov 21st
    0 Files
  • 22
    Nov 22nd
    0 Files
  • 23
    Nov 23rd
    0 Files
  • 24
    Nov 24th
    0 Files
  • 25
    Nov 25th
    0 Files
  • 26
    Nov 26th
    0 Files
  • 27
    Nov 27th
    0 Files
  • 28
    Nov 28th
    0 Files
  • 29
    Nov 29th
    0 Files
  • 30
    Nov 30th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2024 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close