lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list] 
Message-ID: <4B853E3B.1010504@sixserv.org>
Date: Wed, 24 Feb 2010 15:56:59 +0100
From: Matthias -apoc- Hecker <apoc@...serv.org>
To: full-disclosure@...ts.grok.org.uk, bugtraq@...urityfocus.com
Subject: Rbot Owner Reaction Command Execution

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

- - Product

Rbot (aka Rubybot) is a very powerful and feature rich IRC Bot written
in ruby: "Think of him as a ruby bot framework with a highly modular
design based around plugins." [1]

[1] http://ruby-rbot.org/

- - Vulnerability

The reaction plugin allows anyone to create reactions that are
triggered by certain words or regular expressions. There normal message
replies and two special reactions that can be triggered: ruby code and
bot command execution. The ruby action is correctly only allowed for
bot owners, but the command execution is not.

Here is an example for that:
<attacker> !react to /attacker:.*/ with cmd:whoami
 now the attacker is provoking a manual highlight from the bot owner:
<attacker> botowner: ping?
<botowner> attacker: pong, what's up?
<rbot> I'm your boss you can do anything!

Rbot will react by this with the execution of the bot command 'whoami'
as the botowner. Since bot owners can run ruby code with the 'script'
plugin, this leads into an arbitrary code execution flaw.

- - Solution

Update to the latest git version or deactivate the reaction plugin. The
problem was fixed[1] in the git master branch 2 weeks ago:
v. 0.9.15-git master branch revision >= 66320ea

[1]
http://ruby-rbot.org/rbot-trac/changeset/a9565be1c9d5549b1cbc058bb0a097011e1dd778

- - Timeline

2010-02-10 -- Vendor notified
2010-02-10 -- Vendor reaction and security fix
2010-02-24 -- Public disclosure

- - Acknowledgments

Thanks to nks (nks@...serv.org) for helping finding the vulnerability
and to tango from the rbot development team for the prompt response!

- --
(a) (p)roof (o)f (c)oncept ..
  http://apoc.sixserv.org/

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iEYEARECAAYFAkuFPjsACgkQWlhozqFVuMtWjwCfXfo8Sk5YVjmelPxE6Zd+9L/g
CrwAnR6iwwW79FUKuaEBy25YwDxNdlI/
=hWHV
-----END PGP SIGNATURE-----

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ