Shortly afterwards, @pry0cc found out that if you change your nickname to a command such as echo, then type in this: “@topic 882;something”, the command would be executed with “something” as an argument. The problem lied in the way the bot interfaced with discourse, by executing a shell command to run a ruby script.
I can personally attest to the fallacies of popen
. I just had to blacklist more than a dozen characters so that my system wouldn’t explode. AFAIK, I was only vulnerable to single-word commands, like ls
.
We pwned your bot xD
Do you mind including the code, and how the exploit worked? I’ll do a detailed write-up tommorow.
Look what I found in a file called test
:
Looking up Google.com
Location: Mountain View, CA, United States
Weather right now:
e[38;5;226m \ / e[0m Sunny
e[38;5;226m .-. e[0m e[38;5;226m75e[0m – e[38;5;220m77e[0m °Fe[0m
e[38;5;226m ― ( ) ― e[0m e[1m↘e[0m e[38;5;220m10e[0m mphe[0m
e[38;5;226m `-’ e[0m 9 mie[0m
e[38;5;226m / \ e[0m 0.0 ine[0m
@Joe_Schmoe, it seems it worked.
It’s probably a leftover from when you didn’t have “>” blacklisted and I did “@iplookup google.com>>test”
Yeah the C code for your bot.
I am on IRC, nothing happens.
I leave for a few hours, then this shit happens…
fml
-Phoenix750
I feel ya mate
I’m considering making an alert bot that links with my phone via Push bullet so.that people can get hold of me, sort of an IRC pager. Would you wanna be on the bot?
You should tell me more about it when I get on IRC later today.
-Phoenix750