exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New


Posted Feb 12, 2001
Authored by Samy Kamkar | Site pdump.org

Infobot v0.44.5.3 and below contains vulnerabilities which allow remote users to execute commands due to an insecure open call.

tags | exploit, remote, vulnerability
SHA-256 | 9e668c912d9b544d8575c377bcbc9d85a1e5518c52ad1d6000d9621425787cad


Change Mirror Download
Advisory: Infobot and below vulnerability [Hack-X]
This version and versions from before were also released into the
FreeBSD ports tree.
Currently there is no patched version even though I emailed the author
over a month ago about this and emailed the development list over a
week, and them saying it would be fixed immidiately although still
isn't. A patch follows below.

Author: Samy Kamkar [CommPort5@LucidX.com]
Special thanks to zsvx for helping find this problem and testing it on
multiple infobots.

I. Background

Infobot is an IRC bot written in perl for information retrieval and
storage along with channel management and many other useful tasks.

II. Problem Description

Infobot has a 'fortran math' section that's used with the 'calc'
command via IRC. If someone were to message (privately or in a
channel) with 'calc 1+1' (assuming fortran math is enabled in the
config file), the bot would return '2'. The problem is the way
this function works. It uses open() to run `bc`, which does the
actual math.
The original code was
open(P, "echo $parm|bc 2>&1 |");
which allowed someone to use |'s to escape the echo and run anything
through open(). Although, whitespaces are eliminated from user-input
with fortran math so this eliminates a lot of possibilities.
They soon fixed this bug with
open(P, "echo '$parm'|bc 2>&1 |");
This only opened up another hole. A user is now able to escape the
echo by using single-quotes and semicolons, but they are stlil
unable to use whitespaces. To get around the whitespaces, the user
is able to use a local variable set in the terminal. $IFS is, by
default on almost all systems, a newline character or whitespace.
Either of these would work, so in code you would be able to replace
a whitespace with $IFS.

III. Impact

Any malicious user would be able to run arbitrary files writable by
the user running infobot. They would also be able to recieve
information or write, since infobot automatically replies the data
the open() sent. A user would be able to easily check the operating
system and gain other information like so:
calc ';uname$IFS"-a";'
or in older versions:
calc |uname$IFS"-a"|
They would also be able to install arbitrary files and execute them.

IV. Workaround

Disable fortran math in the infobot configuration file and restart
the infobot.

V. Solution

The best solution would be to parse out certain characters from the
user's input. You can do this by adding a line to src/Math.pl in
the infobot's main directory. You will see on line 40:
$parm =~ s/\s//g;
After this line, create a new line and insert this:
$parm =~ s/[\|;']//g;
Save the file (src/Math.pl) and restart infobot.

Samy Kamkar -- (877)-383-4980 -- CommPort5@LucidX.com
LucidX.com / pdump.org / LA.pm.org

Login or Register to add favorites

File Archive:

December 2023

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Dec 1st
    11 Files
  • 2
    Dec 2nd
    0 Files
  • 3
    Dec 3rd
    0 Files
  • 4
    Dec 4th
    0 Files
  • 5
    Dec 5th
    0 Files
  • 6
    Dec 6th
    0 Files
  • 7
    Dec 7th
    0 Files
  • 8
    Dec 8th
    0 Files
  • 9
    Dec 9th
    0 Files
  • 10
    Dec 10th
    0 Files
  • 11
    Dec 11th
    0 Files
  • 12
    Dec 12th
    0 Files
  • 13
    Dec 13th
    0 Files
  • 14
    Dec 14th
    0 Files
  • 15
    Dec 15th
    0 Files
  • 16
    Dec 16th
    0 Files
  • 17
    Dec 17th
    0 Files
  • 18
    Dec 18th
    0 Files
  • 19
    Dec 19th
    0 Files
  • 20
    Dec 20th
    0 Files
  • 21
    Dec 21st
    0 Files
  • 22
    Dec 22nd
    0 Files
  • 23
    Dec 23rd
    0 Files
  • 24
    Dec 24th
    0 Files
  • 25
    Dec 25th
    0 Files
  • 26
    Dec 26th
    0 Files
  • 27
    Dec 27th
    0 Files
  • 28
    Dec 28th
    0 Files
  • 29
    Dec 29th
    0 Files
  • 30
    Dec 30th
    0 Files
  • 31
    Dec 31st
    0 Files

Top Authors In Last 30 Days

File Tags


packet storm

© 2022 Packet Storm. All rights reserved.

Security Services
Hosting By