mailing list archives
Rbot Owner Reaction Command Execution
From: Matthias -apoc- Hecker <apoc () sixserv org>
Date: Wed, 24 Feb 2010 15:56:59 +0100
-----BEGIN PGP SIGNED MESSAGE-----
- - Product
Rbot (aka Rubybot) is a very powerful and feature rich IRC Bot written
in ruby: "Think of him as a ruby bot framework with a highly modular
design based around plugins." 
- - Vulnerability
The reaction plugin allows anyone to create reactions that are
triggered by certain words or regular expressions. There normal message
replies and two special reactions that can be triggered: ruby code and
bot command execution. The ruby action is correctly only allowed for
bot owners, but the command execution is not.
Here is an example for that:
<attacker> !react to /attacker:.*/ with cmd:whoami
now the attacker is provoking a manual highlight from the bot owner:
<attacker> botowner: ping?
<botowner> attacker: pong, what's up?
<rbot> I'm your boss you can do anything!
Rbot will react by this with the execution of the bot command 'whoami'
as the botowner. Since bot owners can run ruby code with the 'script'
plugin, this leads into an arbitrary code execution flaw.
- - Solution
Update to the latest git version or deactivate the reaction plugin. The
problem was fixed in the git master branch 2 weeks ago:
v. 0.9.15-git master branch revision >= 66320ea
- - Timeline
2010-02-10 -- Vendor notified
2010-02-10 -- Vendor reaction and security fix
2010-02-24 -- Public disclosure
- - Acknowledgments
Thanks to nks (nks () sixserv org) for helping finding the vulnerability
and to tango from the rbot development team for the prompt response!
(a) (p)roof (o)f (c)oncept ..
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
-----END PGP SIGNATURE-----
Full-Disclosure - We believe in it.
Hosted and sponsored by Secunia - http://secunia.com/
- Rbot Owner Reaction Command Execution Matthias -apoc- Hecker (Feb 24)