Infobot-0.44.5.3.txt

`Advisory: Infobot 0.44.5.3 and below vulnerability [Hack-X]  
This version and versions from before were also released into the  
FreeBSD ports tree.  
Currently there is no patched version even though I emailed the author  
over a month ago about this and emailed the development list over a  
week, and them saying it would be fixed immidiately although still  
isn't. A patch follows below.  
  
Author: Samy Kamkar [[email protected]]  
Special thanks to zsvx for helping find this problem and testing it on  
multiple infobots.  
  
I. Background  
  
Infobot is an IRC bot written in perl for information retrieval and  
storage along with channel management and many other useful tasks.  
  
II. Problem Description  
  
Infobot has a 'fortran math' section that's used with the 'calc'  
command via IRC. If someone were to message (privately or in a  
channel) with 'calc 1+1' (assuming fortran math is enabled in the  
config file), the bot would return '2'. The problem is the way  
this function works. It uses open() to run `bc`, which does the  
actual math.  
The original code was  
open(P, "echo $parm|bc 2>&1 |");  
which allowed someone to use |'s to escape the echo and run anything  
through open(). Although, whitespaces are eliminated from user-input  
with fortran math so this eliminates a lot of possibilities.  
They soon fixed this bug with  
open(P, "echo '$parm'|bc 2>&1 |");  
This only opened up another hole. A user is now able to escape the  
echo by using single-quotes and semicolons, but they are stlil  
unable to use whitespaces. To get around the whitespaces, the user  
is able to use a local variable set in the terminal. $IFS is, by  
default on almost all systems, a newline character or whitespace.  
Either of these would work, so in code you would be able to replace  
a whitespace with $IFS.  
  
III. Impact  
  
Any malicious user would be able to run arbitrary files writable by  
the user running infobot. They would also be able to recieve  
information or write, since infobot automatically replies the data  
the open() sent. A user would be able to easily check the operating  
system and gain other information like so:  
calc ';uname$IFS"-a";'  
or in older versions:  
calc |uname$IFS"-a"|  
They would also be able to install arbitrary files and execute them.  
  
IV. Workaround  
  
Disable fortran math in the infobot configuration file and restart  
the infobot.  
  
V. Solution  
  
The best solution would be to parse out certain characters from the  
user's input. You can do this by adding a line to src/Math.pl in  
the infobot's main directory. You will see on line 40:  
$parm =~ s/\s//g;  
After this line, create a new line and insert this:  
$parm =~ s/[\|;']//g;  
Save the file (src/Math.pl) and restart infobot.  
  
--  
Samy Kamkar -- (877)-383-4980 -- [email protected]  
LucidX.com / pdump.org / LA.pm.org  
  
  
`