[Nolug] Re: eggdrop script bible.tcl bug, gaping security hole

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Kim,

I don't know that much tcl (I do a little php here and there), but what I
think would be a good approach is to have the script catch the commands
associated with brs (??, ?and, ?list, etc.), dropping everything else with
perhaps a syntax helper reply (a list of commands, etc.) echoed to the
channel/user. Definitely you would need to parse out metacharacters.

We might be able to help out a little. I'll run this by my buddies. Probably
my #perl friends can help with the regexing and knowing exactly what
metacharacters to look out for.

Thanks for getting back to me so soon.

- --Joey

Thou spake:
>Yuck, you're right. I never thought about that. Probably the best way to fix
>it would be to get it to interact directly with brs rather than just sending
>it shell commands. Unfortunately, my TCL isn't really up to the task. I
> guess I'll just to get it to strip out the metacharacters, unless you have
> a better suggestion.
>
>I've taken it off the site for now. Please keep me posted on what happens.
>
>Thanks for letting me know.
>
>----- Original Message -----
>From: "Joey Kelly" <looseduk@ductape.net>
>To: <user@unknown.nu>
>Cc: <root@unknown.nu>; <nobeliumclove@unknown.nu>
>Sent: Wednesday, June 19, 2002 4:29 PM
>Subject: eggdrop script bible.tcl bug, gaping security hole
>
>> -----BEGIN PGP SIGNED MESSAGE-----
>> Hash: SHA1
>>
>> Hello.
>>
>> I have been using the bible.tcl script written by Kim Scarborough, and I
>
>have
>
>> discovered a way to make the script execute arbitrary shell code.
>>
>> A group of IRCers and I were looking at the script last night, trying to
>> figure out why so little of the brs functionality was available to the
>> script. We determined that the script was incomplete. We thought of
>
>finishing
>
>> the script, making it possible to pass multiple arguments to brs, etc.
>>
>> At any rate, I realized that the existing bible.tcl script, as it called
>> brs (by executing "bible <parameter>" on the shell), could possibly also
>> pass extra parameters, including metacharacters, to the shell.
>>
>> To test this, I first ran this command from my shell:
>>
>> bible ??God | touch newfile
>>
>> and the file "newfile" was created as if I had run the command
>>
>> touch newfile
>>
>> from the shell. I then went to irc and issued the command
>>
>> !bible bible ??God | touch anothernewfile
>>
>> and as before the file "anothernewfile" was created in my directory. This
>> of course means that the bible.tcl script as it is written is insecure,
>> and allows the execution of arbitrary code on the shell.
>>
>> One can imagine the potential uses of this: irc user "h4x0r" passes "rm
>> -rf ~$user/*" to the shell, and $user returns to find all of his files
>> gone. Irc user "l4m3r" uses scp to upload certain scripts which, when
>> executed via
>
>irc,
>
>> runs a local root exploit against the linux box and installs a rootkit.
>> "l4m3r" then proceeds to perform all sorts of further mischief. Etc.
>>
>> This is just one exploit against one irc script. However, since there are
>> other scripts that make calls to external programs (much like web servers
>> make calls to external cgi programs), it is likely that these other irc
>> scripts have this same type of vulnerability. It is my intention to
>> publish this bug report on the various bug tracking and security sites,
>> usernet,
>
>etc.
>
>> I will wait 10 days before doing so, to give you folks time to do
>> something about your script. At the least, I would hope that a warning
>> would be posted to your site about this security hole. I would further
>> hope that you or someone else would come up with a way to close the
>> script's hole, and that the script would be versioned.
>>
>> Thank you for taking the time to read about and address my concerns.
>> - --
>>
>> Joey Kelly
>> < Minister of the Gospel | Computer Networking Consultant >
>> http://joeykelly.dhs.org
>>
>>
>> -----BEGIN PGP SIGNATURE-----
>> Version: GnuPG v1.0.6 (GNU/Linux)
>> Comment: For info see http://www.gnupg.org
>>
>> iD8DBQE9EPezTACso8v35Y4RAo1AAKC/sDRaIGGA3iZlTnRU/R7/MRFObgCfY0SR
>> akSMNBsAXZgE1Lbpds4ufbY=
>> =yvAq
>> -----END PGP SIGNATURE-----

- --

Joey Kelly
< Minister of the Gospel | Computer Networking Consultant >
http://joeykelly.dhs.org

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (GNU/Linux)
Comment: For info see http://www.gnupg.org

iD8DBQE9EiBgTACso8v35Y4RAkcNAKC5NZttSuETBNd+rYXh+m/fnitVjACaAv4J
GmbI/LDyUcSggFb4Cp8YNi4=
=uZK+
-----END PGP SIGNATURE-----
___________________
Nolug mailing list
nolug@nolug.org
Received on 06/20/02