Be wary of user input! - How to fail at using Popen


#1


Shortly afterwards, @pry0cc found out that if you change your nickname to a command such as echo, then type in this: “@topic 882;something”, the command would be executed with “something” as an argument. The problem lied in the way the bot interfaced with discourse, by executing a shell command to run a ruby script.


(oaktree) #2

I can personally attest to the fallacies of popen. I just had to blacklist more than a dozen characters so that my system wouldn’t explode. AFAIK, I was only vulnerable to single-word commands, like ls.


(Security Architect & Founder) #3

We pwned your bot xD


(Security Architect & Founder) #4

Do you mind including the code, and how the exploit worked? I’ll do a detailed write-up tommorow.


(oaktree) #5

My code, @pry0cc?

20 characters at least.


(oaktree) #6

Look what I found in a file called test:

Looking up Google.com
Location: Mountain View, CA, United States
Weather right now: 

 e[38;5;226m    \   /    e[0m Sunny
 e[38;5;226m     .-.     e[0m e[38;5;226m75e[0m – e[38;5;220m77e[0m °Fe[0m     
 e[38;5;226m  ― (   ) ―  e[0m e[1m↘e[0m e[38;5;220m10e[0m mphe[0m       
 e[38;5;226m     `-’     e[0m 9 mie[0m           
 e[38;5;226m    /   \    e[0m 0.0 ine[0m         

@Joe_Schmoe, it seems it worked.


#7

It’s probably a leftover from when you didn’t have “>” blacklisted and I did “@iplookup google.com>>test”


(Security Architect & Founder) #8

Yeah the C code for your bot.


#9

grab it while it’s hot


#10

I am on IRC, nothing happens.

I leave for a few hours, then this shit happens…

fml

-Phoenix750


#11

I feel ya mate :cry:


(Security Architect & Founder) #12

I’m considering making an alert bot that links with my phone via Push bullet so.that people can get hold of me, sort of an IRC pager. Would you wanna be on the bot?


#13

You should tell me more about it when I get on IRC later today.

-Phoenix750