[Nolug] eggdrop script bible.tcl bug, gaping security hole

From: Joey Kelly <looseduk_at_ductape.net>
Date: Wed, 19 Jun 2002 21:29:22 +0000
Message-Id: <0206192129220H.20940@rahab>

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hello.

I have been using the bible.tcl script written by Kim Scarborough, and I have
discovered a way to make the script execute arbitrary shell code.

A group of IRCers and I were looking at the script last night, trying to
figure out why so little of the brs functionality was available to the
script. We determined that the script was incomplete. We thought of finishing
the script, making it possible to pass multiple arguments to brs, etc.

At any rate, I realized that the existing bible.tcl script, as it called brs
(by executing "bible <parameter>" on the shell), could possibly also pass
extra parameters, including metacharacters, to the shell.

To test this, I first ran this command from my shell:

bible ??God | touch newfile

and the file "newfile" was created as if I had run the command

touch newfile

from the shell. I then went to irc and issued the command

!bible bible ??God | touch anothernewfile

and as before the file "anothernewfile" was created in my directory. This of
course means that the bible.tcl script as it is written is insecure, and
allows the execution of arbitrary code on the shell.

One can imagine the potential uses of this: irc user "h4x0r" passes "rm -rf
~$user/*" to the shell, and $user returns to find all of his files gone. Irc
user "l4m3r" uses scp to upload certain scripts which, when executed via irc,
runs a local root exploit against the linux box and installs a rootkit.
"l4m3r" then proceeds to perform all sorts of further mischief. Etc.

This is just one exploit against one irc script. However, since there are
other scripts that make calls to external programs (much like web servers
make calls to external cgi programs), it is likely that these other irc
scripts have this same type of vulnerability. It is my intention to publish
this bug report on the various bug tracking and security sites, usernet, etc.
I will wait 10 days before doing so, to give you folks time to do something
about your script. At the least, I would hope that a warning would be posted
to your site about this security hole. I would further hope that you or
someone else would come up with a way to close the script's hole, and that
the script would be versioned.

Thank you for taking the time to read about and address my concerns.
- --

Joey Kelly
< Minister of the Gospel | Computer Networking Consultant >
http://joeykelly.dhs.org

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (GNU/Linux)
Comment: For info see http://www.gnupg.org

iD8DBQE9EPezTACso8v35Y4RAo1AAKC/sDRaIGGA3iZlTnRU/R7/MRFObgCfY0SR
akSMNBsAXZgE1Lbpds4ufbY=
=yvAq
-----END PGP SIGNATURE-----
___________________
Nolug mailing list
nolug@nolug.org
Received on 06/19/02

This archive was generated by hypermail 2.2.0 : 12/19/08 EST