Limnoria/Supybot.html.md

218 lines
7.4 KiB
Markdown
Raw Normal View History

2014-05-16 14:51:00 +02:00
<!DOCTYPE html>
<html>
<head>
<meta charset="UTF-8" />
<meta name="description" content="Security issues in the latest released version of stock Supybot, how to avoid them without switching to a fork and how to switch to forks." />
<meta name="keywords" content="Security,Issues,Supybot,crash,Debian,Ubuntu,IRC,Python,Python 2,Python 3,pip," />
2014-05-16 14:51:00 +02:00
<meta name="author" content="Mikaela Suomalainen" />
2014-05-20 14:03:35 +02:00
<link rel="canonical" href="https://mkaysi.github.io/limnoria/Supybot.html">
2014-05-16 14:51:00 +02:00
<title>Security issues of Supybot</title>
<link rel="stylesheet" type="text/css" href="css.css" />
2014-06-29 17:59:32 +02:00
<script>
(function(i,s,o,g,r,a,m){i['GoogleAnalyticsObject']=r;i[r]=i[r]||function(){
(i[r].q=i[r].q||[]).push(arguments)},i[r].l=1*new Date();a=s.createElement(o),
m=s.getElementsByTagName(o)[0];a.async=1;a.src=g;m.parentNode.insertBefore(a,m)
})(window,document,'script','//www.google-analytics.com/analytics.js','ga');
ga('create', 'UA-40171169-1', 'mkaysi.github.io');
ga('send', 'pageview');
</script>
2014-05-16 14:51:00 +02:00
</head>
<body>
2014-06-29 17:59:32 +02:00
All activity happens in git repository of Supybot nowadays and it happens
seldomly. The latest version, which was released in 2009 is 0.83.4.1
has multiple security issues documented here. This version is available
from Debian repositories, Ubuntu repositories and repositories of many
other Linux distributions.
2014-05-16 14:51:00 +02:00
2014-06-29 17:59:32 +02:00
**Note: Development has moved from SourceForge to GitHub so I won't refer
to the old SF page.**
2014-05-16 14:51:00 +02:00
2014-06-29 17:59:32 +02:00
## The issues of 0.83.4.1.
2014-05-16 14:51:00 +02:00
### 1. Anyone can crash it and computer where it's running on
2014-05-16 14:51:00 +02:00
And this is very easy. Just run the command
```
!misc last --regexp m/(.*\w){512}/
```
where ! is the prefix character.
2014-06-29 17:59:32 +02:00
Misc is loaded by default and cannot be unloaded without modifying the
config.
2014-05-16 14:51:00 +02:00
### 2. The previous wasn't the only way to do this
2014-05-16 14:51:00 +02:00
2014-06-29 17:59:32 +02:00
Everyone can also make the bot count an equation, which brings it and the
host computer down.
2014-05-16 14:51:00 +02:00
For example:
```
!math calc factorial(999999)
```
2014-06-29 17:59:32 +02:00
This requires Math plugin which comes with Supybot, but isn't load by
default.
### 3. Anyone can access network services via the bot.
2014-05-16 14:51:00 +02:00
2014-06-29 17:59:32 +02:00
I don't have example command for this, but it happens by nesting
"format cut" and "misc tell".
2014-05-16 14:51:00 +02:00
2014-06-29 17:59:32 +02:00
What does this mean? Anyone can tell the bot to ghost someone else on same
account, take over a channel by telling the bot to give flags
(if it has correct flags), change password of the account and everything
else what you do with network services.
2014-05-16 14:51:00 +02:00
2014-06-29 18:06:18 +02:00
### 4. Web page with special characters in \<title\> can be used to send DCC/CTCP commands.
2014-05-16 14:51:00 +02:00
2014-06-29 17:59:32 +02:00
This doesn't mean only things like CTCP actions (also known as /me),
but known problems with old routers ( `FF ? DCC SEND “ff???f??????????????” 0 0 0` )
which make them reconnect to the internet.
2014-05-16 14:51:00 +02:00
Usage:
```
!web title <malicious.page.here>
!web fetch <malicious.page.here>
```
2014-06-29 17:59:32 +02:00
### Are these issues publicly known?
2014-05-16 14:51:00 +02:00
2014-06-29 17:59:32 +02:00
**Of course they are.** They have been reported to
2014-05-16 14:51:00 +02:00
2014-06-29 17:59:32 +02:00
* [Ubuntu](https://ubuntu.com)
* [issue 1](http://pad.lv/996947])
* [issue 2](http://pad.lv/996950)
* [Debian](https://debian.org/)
* [issue 1](https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=672214)
* [issue 2](https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=672215)
* [#supybot](ircs://chat.freenode.net:6697/#supybot)
2014-05-16 14:51:00 +02:00
2014-06-29 17:59:32 +02:00
The first issue has been also used to take down some of
[Ubuntu IRC bots](https://wiki.ubuntu.com/IRC/Bots) several times.
At least UbotX (I don't remember the number) and meetingology.
2014-05-16 14:51:00 +02:00
2014-06-29 17:59:32 +02:00
Some of these issues are fixed in git repository, but most people aren't
using it. If you wish to start using it, please scroll down to
installation instructions lower this page even though [Limnoria] and
[gribble] are more recommended.
2014-05-16 14:51:00 +02:00
2014-06-29 17:59:32 +02:00
### How to avoid them?
2014-05-16 14:51:00 +02:00
2014-06-29 17:59:32 +02:00
You can add anticapability for these commands using
`owner defaultcapability`, but that is only a temporary solution.
There can also be other issues.
2014-05-16 14:51:00 +02:00
2014-06-29 17:59:32 +02:00
There are also two active Supybot forks, known as [Limnoria] and
[Gribble], which are actively developed and have fixed these issues.
If you want permanent solution, you should install either of them.
2014-05-16 14:51:00 +02:00
2014-06-29 18:19:47 +02:00
I recommend [Limnoria]
* it seems to be more actively developed.
* (activity of [Gribble] isn't announced anywhere)
* it has additional
* commands
* translations support
* plugins
* [PluginDownloader], which makes installing of
3rd party plugins easy.
* NickAuth
* Allows identifying to the bot using NickServ account.
* all changes of [Gribble].
* Conditional & MessageParser
* [Limnoria also supports SASL and CertFP], which are methods to
[identify to services automatically.](https://mkaysi.github.io/pages/external/identifying.html)
## Interesting things
* [Comparsion of commit activity between Limnoria, Gribble and Supybot](https://www.openhub.net/p/compare?project_0=Limnoria&project_1=Gribble%3A+Support+Bottie&project_2=Supybot).
2014-06-29 18:19:47 +02:00
* [Gribble's modifications to stock Supybot](https://sourceforge.net/p/gribble/wiki/Gribble_Project_Git_Repository/)
* SourceForge and that link are a little broken, when they are moved
elsewhere, please remove this notice!
* [Limnoria's modifications to Gribble.](https://github.com/ProgVal/Limnoria/wiki/LGC)
* Features of Gribble are fully merged to Limnoria.
2014-05-16 14:51:00 +02:00
2014-06-29 17:59:32 +02:00
Your current botname.conf is **100% compatible with forks**.
2014-05-16 14:51:00 +02:00
2014-06-29 17:59:32 +02:00
[Join Supybot channels on freenode!](ircs://chat.freenode.net:6697/#supybot,#gribble,#limnoria)
2014-05-16 14:51:00 +02:00
[Limnoria]:https://github.com/ProgVal/Limnoria
2014-10-09 15:53:49 +02:00
[Gribble]:http://github.com/nanotube/supybot_fixes
2014-05-16 14:51:00 +02:00
[PluginDownloader]:https://github.com/ProgVal/Limnoria/tree/master/plugins/PluginDownloader
2014-06-29 11:21:43 +02:00
## Installing forks
### For all of them.
You should install [pip] (usually python-pip and python3-pip in
repositories) and [git].
2014-06-29 11:21:43 +02:00
Windows users should also install [pip] and [msysgit] and in [msysgit]
2014-06-29 11:21:43 +02:00
select to run **unix tools in PATH**.
Note: pip is included with Python =< 3.4! Python 3 is only supported by
2014-06-29 11:21:43 +02:00
Limnoria.
For **rootless installation**, please see
2014-06-29 11:21:43 +02:00
[Limnoria's documentation.](http://supybot.aperio.fr/doc/use/install.html#local-installation) which you should be able to modify to install stock
Supybot or gribble with the information below.
If you don't have sudo, please simply remove it from beginnings of lines
and run the commands as root or Administrator.
2014-06-29 17:35:24 +02:00
[git]:http://git-scm.com/
[pip]:http://pip.readthedocs.org/en/latest/reference/pythonpip_install.html
2014-06-29 17:13:52 +02:00
[msysgit]:https://msysgit.github.io/
2014-06-29 11:21:43 +02:00
### Supybot
**Not recommended as it's not actively developed.**
```
sudo python -m pip install git+https://github.com/supybot/supybot.git --upgrade
2014-06-29 11:21:43 +02:00
```
### gribble
Less actively developed than Limnoria and doesn't support Python 3.
```
sudo python -m pip install git+https://github.com/nanotube/supybot_fixes.git --upgrade
2014-06-29 11:21:43 +02:00
```
### Limnoria
At the time of writing, the most active Supybot fork which includes
embedded HTTPd for plugins needing it, supports other languages than
English and also runs with Python 3.
The first command installs requirements of Limnoria and the second
Limnoria itself. Only Limnoria has requirements.txt file at the moment.
```
sudo python3 -m pip install -r https://raw.githubusercontent.com/ProgVal/Limnoria/master/requirements.txt --upgrade
sudo python3 -m pip install git+https://github.com/ProgVal/Limnoria.git@master --upgrade
2014-06-29 11:21:43 +02:00
```
#### python3 -m pip
If you don't have pip for Python3 you can
```
curl -LO https://bootstrap.pypa.io/get-pip.py
sudo python3 get-pip.py
```
if `curl -LO` doesn't work, try replacing it with `wget`.
2014-06-29 17:59:32 +02:00
<hr/>
2014-06-29 18:06:18 +02:00
[Changelog of this page.](https://github.com/Mkaysi/Limnoria/commits/gh-pages/Supybot.html)
2014-06-29 17:59:32 +02:00
<hr/>
</body>
</html>