[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Rbot Owner Reaction Command Execution

Hash: SHA1

- - Product

Rbot (aka Rubybot) is a very powerful and feature rich IRC Bot written
in ruby: "Think of him as a ruby bot framework with a highly modular
design based around plugins." [1]

[1] http://ruby-rbot.org/

- - Vulnerability

The reaction plugin allows anyone to create reactions that are
triggered by certain words or regular expressions. There normal message
replies and two special reactions that can be triggered: ruby code and
bot command execution. The ruby action is correctly only allowed for
bot owners, but the command execution is not.

Here is an example for that:
<attacker> !react to /attacker:.*/ with cmd:whoami
 now the attacker is provoking a manual highlight from the bot owner:
<attacker> botowner: ping?
<botowner> attacker: pong, what's up?
<rbot> I'm your boss you can do anything!

Rbot will react by this with the execution of the bot command 'whoami'
as the botowner. Since bot owners can run ruby code with the 'script'
plugin, this leads into an arbitrary code execution flaw.

- - Solution

Update to the latest git version or deactivate the reaction plugin. The
problem was fixed[1] in the git master branch 2 weeks ago:
v. 0.9.15-git master branch revision >= 66320ea


- - Timeline

2010-02-10 -- Vendor notified
2010-02-10 -- Vendor reaction and security fix
2010-02-24 -- Public disclosure

- - Acknowledgments

Thanks to nks (nks@xxxxxxxxxxx) for helping finding the vulnerability
and to tango from the rbot development team for the prompt response!

- --
(a) (p)roof (o)f (c)oncept ..

Version: GnuPG v1.4.10 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/