Home » 2010 » February » 25 » Rbot Owner Reaction Command Execution
6:53 AM
Rbot Owner Reaction Command Execution
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

- - Product

Rbot (aka Rubybot) is a very powerful and feature rich IRC Bot written
in ruby: "Think of him as a ruby bot framework with a highly modular
design based around plugins." [1]

[1] http://ruby-rbot.org/

- - Vulnerability

The reaction plugin allows anyone to create reactions that are
triggered by certain words or regular expressions. There normal message
replies and two special reactions that can be triggered: ruby code and
bot command execution. The ruby action is correctly only allowed for
bot owners, but the command execution is not.

Here is an example for that:
<attacker> !react to /attacker:.*/ with cmd:whoami
 now the attacker is provoking a manual highlight from the bot owner:
<attacker> botowner: ping?
<botowner> attacker: pong, what's up?
<rbot> I'm your boss you can do anything!

Rbot will react by this with the execution of the bot command 'whoami'
as the botowner. Since bot owners can run ruby code with the 'script'
plugin, this leads into an arbitrary code execution flaw.

- - Solution

Update to the latest git version or deactivate the reaction plugin. The
problem was fixed[1] in the git master branch 2 weeks ago:
v. 0.9.15-git master branch revision >= 66320ea

[1]
http://ruby-rbot.org/rbot-trac/changeset/a9565be1c9d5549b1cbc058bb0a097011e1dd778

- - Timeline

2010-02-10 -- Vendor notified
2010-02-10 -- Vendor reaction and security fix
2010-02-24 -- Public disclosure

- - Acknowledgments

Thanks to nks (nks@sixserv.org) for helping finding the vulnerability
and to tango from the rbot development team for the prompt response!

- --
(a) (p)roof (o)f (c)oncept ..
 http://apoc.sixserv.org/

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iEYEARECAAYFAkuFPjsACgkQWlhozq
FVuMtWjwCfXfo8Sk5YVjmelPxE6Zd+9L/g
CrwAnR6iwwW79FUKuaEBy25YwDxNdlI/
=hWHV
-----END PGP SIGNATURE-----
Views: 524 | Added by: b1zz4rd | Rating: 0.0/0
Total comments: 1
1  
included in Chromea022.0.1229.92 is the latest vseoirn of the Adobe Flash Player which was just updated to address vulnerabilities that could cause a crash and potentially allow an attacker to take

Name *:
Email *:
Code *: