COMMAND

    Infobot

SYSTEMS AFFECTED

    Infobot 0.44.5.3 and below

PROBLEM

    Samy Kamkar  [CommPort5] found  following.   Infobot 0.44.5.3  and
    below and versions from before were also released into the FreeBSD
    ports tree.   Currently there  is no  patched version  even though
    Samy emailed the  author over a  month ago about  this and emailed
    the development  list over  a week,  and them  saying it  would be
    fixed immidiately although still isn't.  A patch follows below.

    Infobot is an  IRC bot written  in perl for  information retrieval
    and storage along  with channel management  and many other  useful
    tasks.

    Infobot has a 'fortran math'  section that's used with the  'calc'
    command via IRC.   If someone were to  message (privately or in  a
    channel) with 'calc 1+1' (assuming fortran math is enabled in  the
    config file), the bot  would return '2'.   The problem is the  way
    this function works.  It uses  open() to run `bc`, which does  the
    actual math.  The original code was

        open(P, "echo $parm|bc 2>&1 |");

    which  allowed  someone  to  use  |'s  to  escape the echo and run
    anything  through  open().   Although,  whitespaces are eliminated
    from user-input  with fortran  math so  this eliminates  a lot  of
    possibilities.  They soon fixed this bug with

        open(P, "echo '$parm'|bc 2>&1 |");

    This only opened up  another hole.  A  user is now able  to escape
    the  echo  by  using  single-quotes  and  semicolons, but they are
    stlil unable to use whitespaces.   To get around the  whitespaces,
    the user  is able  to use  a local  variable set  in the terminal.
    $IFS is, by default on almost all systems, a newline character  or
    whitespace.  Either of these would  work, so in code you would  be
    able to replace a whitespace with $IFS.

    Any malicious user would be  able to run arbitrary files  writable
    by the user running infobot.   They would also be able to  recieve
    information or write, since infobot automatically replies the data
    the  open()  sent.   A  user  would  be  able  to easily check the
    operating system and gain other information like so:

        calc ';uname$IFS"-a";'

    or in older versions:

        calc |uname$IFS"-a"|

    They would  also be  able to  install arbitrary  files and execute
    them.

SOLUTION

    Disable fortran math in the infobot configuration file and restart
    the infobot.   The best  solution would  be to  parse out  certain
    characters from the  user's input.   You can do  this by adding  a
    line to  src/Math.pl in  the infobot's  main directory.   You will
    see on line 40:

        $parm =~ s/\s//g;

    After this line, create a new line and insert this:

        $parm =~ s/[\|;']//g;

    Save the file (src/Math.pl) and restart infobot.