Shortly afterwards, @pry0cc found out that if you change your nickname to a command such as echo, then type in this: “@topic 882;something”, the command would be executed with “something” as an argument. The problem lied in the way the bot interfaced with discourse, by executing a shell command to run a ruby script.
I can personally attest to the fallacies of
popen. I just had to blacklist more than a dozen characters so that my system wouldn’t explode. AFAIK, I was only vulnerable to single-word commands, like
We pwned your bot xD
Do you mind including the code, and how the exploit worked? I’ll do a detailed write-up tommorow.
Look what I found in a file called
Looking up Google.com Location: Mountain View, CA, United States Weather right now: e[38;5;226m \ / e[0m Sunny e[38;5;226m .-. e[0m e[38;5;226m75e[0m – e[38;5;220m77e[0m °Fe[0m e[38;5;226m ― ( ) ― e[0m e[1m↘e[0m e[38;5;220m10e[0m mphe[0m e[38;5;226m `-’ e[0m 9 mie[0m e[38;5;226m / \ e[0m 0.0 ine[0m
@Joe_Schmoe, it seems it worked.
It’s probably a leftover from when you didn’t have “>” blacklisted and I did “@iplookup google.com>>test”
Yeah the C code for your bot.
I feel ya mate
I’m considering making an alert bot that links with my phone via Push bullet so.that people can get hold of me, sort of an IRC pager. Would you wanna be on the bot?
You should tell me more about it when I get on IRC later today.