Title: Infobot fortran math Arbitrary Command Execution Vulnerability
Severity: HIGH
Description:
Infobot is a free, open source IRC bot designed to automate channel administration tasks and give information to users. It was originally written by Kevin Lenzo, and is actively maintained by the Infobot Development Team.
A problem exists in the handling of commands by the fortran math functions of Infobot. When a command is sent to the infobot such as "calc 10+10", infobot uses the perl open() function to launch bc locally, and inputs the numbers to bc via an echo. bc then returns the answer to infobot, which in turn messages the answer to the user.
However, a problem occurs when a request for a calculation containing single quotes and semicolons is passed through the fortran math function of the bot. While white space is parsed and removed before commands get to bc, characters are not. Upon receiving the command line, and being input into the echo for passing to bc, the single quotes allow the passed command to escape from the echo, and execute as a local command, rather than as input to bc. White space can be substituted with the $IFS environment variable, allowing a remote user to not only pass commands, but arguments to commands as well.
Therefore, a command such as "calc 10+10" will result in normal operation, while a command such as ';mkdir$IFS"dog";' will create a directory in the current working directory of the bot with the user and group privileges of the UID of the bot, providing the current working directory of the bot is write permitted.
Affected Products:
- Kevin Lenzo Infobot 0.44.5 .3
Juniper Networks provides this content via a wide variety of sources and production methods. If notified of errors or omissions in the content of this page, Juniper Networks, at its discretion, will modify or remove the page or leave the content as is, depending on various factors including but not limited to the reputation and authority of the party providing the notification. Please use the contact information displayed elsewhere on this page to report any errors or omissions regarding the content on this page.
