Infobot v0.44.5.3 and below contains vulnerabilities which allow remote users to execute commands due to an insecure open call.
9e668c912d9b544d8575c377bcbc9d85a1e5518c52ad1d6000d9621425787cad
Advisory: Infobot 0.44.5.3 and below vulnerability [Hack-X]
This version and versions from before were also released into the
FreeBSD ports tree.
Currently there is no patched version even though I emailed the author
over a month ago about this and emailed the development list over a
week, and them saying it would be fixed immidiately although still
isn't. A patch follows below.
Author: Samy Kamkar [CommPort5@LucidX.com]
Special thanks to zsvx for helping find this problem and testing it on
multiple infobots.
I. Background
Infobot is an IRC bot written in perl for information retrieval and
storage along with channel management and many other useful tasks.
II. Problem Description
Infobot has a 'fortran math' section that's used with the 'calc'
command via IRC. If someone were to message (privately or in a
channel) with 'calc 1+1' (assuming fortran math is enabled in the
config file), the bot would return '2'. The problem is the way
this function works. It uses open() to run `bc`, which does the
actual math.
The original code was
open(P, "echo $parm|bc 2>&1 |");
which allowed someone to use |'s to escape the echo and run anything
through open(). Although, whitespaces are eliminated from user-input
with fortran math so this eliminates a lot of possibilities.
They soon fixed this bug with
open(P, "echo '$parm'|bc 2>&1 |");
This only opened up another hole. A user is now able to escape the
echo by using single-quotes and semicolons, but they are stlil
unable to use whitespaces. To get around the whitespaces, the user
is able to use a local variable set in the terminal. $IFS is, by
default on almost all systems, a newline character or whitespace.
Either of these would work, so in code you would be able to replace
a whitespace with $IFS.
III. Impact
Any malicious user would be able to run arbitrary files writable by
the user running infobot. They would also be able to recieve
information or write, since infobot automatically replies the data
the open() sent. A user would be able to easily check the operating
system and gain other information like so:
calc ';uname$IFS"-a";'
or in older versions:
calc |uname$IFS"-a"|
They would also be able to install arbitrary files and execute them.
IV. Workaround
Disable fortran math in the infobot configuration file and restart
the infobot.
V. Solution
The best solution would be to parse out certain characters from the
user's input. You can do this by adding a line to src/Math.pl in
the infobot's main directory. You will see on line 40:
$parm =~ s/\s//g;
After this line, create a new line and insert this:
$parm =~ s/[\|;']//g;
Save the file (src/Math.pl) and restart infobot.
--
Samy Kamkar -- (877)-383-4980 -- CommPort5@LucidX.com
LucidX.com / pdump.org / LA.pm.org