Infobot fortran math Arbitrary Command Execution Vulnerability

Infobot is a free, open source IRC bot designed to automate channel administration tasks and give information to users. It was originally written by Kevin Lenzo, and is actively maintained by the Infobot Development Team.

A problem in the handling of commands by the fortran math function of the bot may allow users to remotely execute commands. Infobot handles commands from users via private message, allowing users to get information from the bot. The fortran math function allows users to calculate arithmetic problems by passing input from the user to bc. The data is passed to bc via an echo, and the results returned to the user. A problem occurs when the fortran math function is passed a command with single quotes and semi-colons. Due to insufficent removal of special characters, it is possible to escape the echo and execute arbitrary commands on a system.

A malicious user may execute arbitrary commands on a system remotely as the UID of the infobot. It is also possible for a user to gain remote access to local resources through this vulnerability, with the privileges of the infobot.


Privacy Statement
Copyright 2010, SecurityFocus