-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 - - Product Rbot (aka Rubybot) is a very powerful and feature rich IRC Bot written in ruby: "Think of him as a ruby bot framework with a highly modular design based around plugins." [1] [1] http://ruby-rbot.org/ - - Vulnerability The reaction plugin allows anyone to create reactions that are triggered by certain words or regular expressions. There normal message replies and two special reactions that can be triggered: ruby code and bot command execution. The ruby action is correctly only allowed for bot owners, but the command execution is not. Here is an example for that: <attacker> !react to /attacker:.*/ with cmd:whoami now the attacker is provoking a manual highlight from the bot owner: <attacker> botowner: ping? <botowner> attacker: pong, what's up? <rbot> I'm your boss you can do anything! Rbot will react by this with the execution of the bot command 'whoami' as the botowner. Since bot owners can run ruby code with the 'script' plugin, this leads into an arbitrary code execution flaw. - - Solution Update to the latest git version or deactivate the reaction plugin. The problem was fixed[1] in the git master branch 2 weeks ago: v. 0.9.15-git master branch revision >= 66320ea [1] http://ruby-rbot.org/rbot-trac/changeset/a9565be1c9d5549b1cbc058bb0a097011e1dd778 - - Timeline 2010-02-10 -- Vendor notified 2010-02-10 -- Vendor reaction and security fix 2010-02-24 -- Public disclosure - - Acknowledgments Thanks to nks (nks@xxxxxxxxxxx) for helping finding the vulnerability and to tango from the rbot development team for the prompt response! - -- (a) (p)roof (o)f (c)oncept .. http://apoc.sixserv.org/ -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.10 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAkuFPjsACgkQWlhozqFVuMtWjwCfXfo8Sk5YVjmelPxE6Zd+9L/g CrwAnR6iwwW79FUKuaEBy25YwDxNdlI/ =hWHV -----END PGP SIGNATURE-----
