<!DOCTYPE html> <html> <head> <meta charset="UTF-8" /> <meta name="description" content="Supybot security issues," /> <meta name="keywords" content="Security,Issues,Supybot,crash,Debian,Ubuntu,IRC" /> <meta name="author" content="Mika Suomalainen" /> <link rel="canonical" href="http://mkaysi.github.com/IRC/Supybot.html"> <title> Security issues of Supybot </title> <link rel="stylesheet" type="text/css" href="../tyyli.css" /> </head> <body> <hr/> <a href="../sitemap/sitemap.html">Sitemap</a> <hr/> <p><em>If you are looking for web interface of my bot (known as Supybot on freenode), click <a href="OtusBot.html">here.</a></em></p> <h1 id="latest-version-of-supybot-was-released-in-2005">Latest version of Supybot was released in 2005</h1> <p>All activity happens in git repository of Supybot nowadays and it happens seldomly. The version, which was released in 2005 is 0.83.4.1.</p> <p>It's available from <a href="http://supybot.sf.net/">SourceForge</a>, Debian repositories, Ubuntu repositories and repositories of many other Linux distributions.</p> <h1 id="has-critical-issues">0.83.4.1 has critical issues</h1> <p>What issues?</p> <h2 id="anyone-can-crash-it-and-computer-where-its-running-on">1. Anyone can crash it and computer where it's running on</h2> <p>And this is very easy. Just run the command</p> <pre><code>!misc last --regexp m/(.*\w){512}/</code></pre> <p>where ! is the prefix character.</p> <p>Misc is loaded by default and cannot be unloaded without modifying the config.</p> <h2 id="the-previous-wasnt-the-only-way-to-do-this">2. The previous wasn't the only way to do this</h2> <p>Everyone can also make the bot count an equation, which brings it and the host computer down.</p> <p>For example:</p> <pre><code>!math calc factorial(999999)</code></pre> <h2 id="anyone-can-access-network-services-via-the-bot.">3. Anyone can access network services via the bot.</h2> <p>I don't have example command for this, but it happens by nesting "format cut" and "misc tell".</p> <p>What does this mean? Anyone can tell the bot to ghost someone else on same account, take over a channel by telling the bot to give flags (if it has correct flags), change password of the account and everything else what you do with network services.</p> <h2 id="web-page-with-special-characters-in-title-can-be-used-to-send-dccctcp-commands.">4. Web page with special characters in title can be used to send DCC/CTCP commands.</h2> <p>This doesn't mean only things like CTCP actions (also known as /me), but known problems with old routers ( FF ? DCC SEND “ff???f??????????????” 0 0 0 ) which make them reconnect to the internet.</p> <p>Usage:</p> <pre><code>!web title <malicious.page.here> !web fetch <malicious.page.here></code></pre> <p>Note that web fetch is disabled by default.</p> <p>This is currently* fixed only in Limnoria's testing version.</p> <p>*See the changelog link at bottom. Currently means 18:04 (UTC) on 2012-10-31.</p> <h1 id="are-these-issues-publicly-known">Are these issues publicly known?</h1> <p><STRONG>Of course they are.</strong> They have been reported to</p> <ol class="incremental" style="list-style-type: decimal"> <li><p><a href="http://ubuntu.com/">Ubuntu</a>, <a href="http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=672214">issue 1</a> and <a href="http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=672215">issue 2</a></p></li> <li><p><a href="http://debian.org/">Debian</a>, <a href="http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=672214">issue 1</a> and <a href="http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=672215">issue 2</a>.</p></li> </ol> <p>The first issue has been also used to take down some of <a href="https://wiki.ubuntu.com/IRC/Bots">Ubuntu IRC bots</a> several times. At least UbotX (I don't remember the number) and meetingology.</p> <ol class="incremental" start="3" style="list-style-type: decimal"> <li>to their IRC channel.</li> </ol> <p>Some of them are fixed in git repository, but most people aren't using it.</p> <h2 id="how-to-avoid-them">How to avoid them?</h2> <p>You can add anticapability for these commands using "owner defaultcapability", but that is only a temporary solution. There can also be other issues.</p> <p>There are also two active Supybot forks, known as <a href="https://github.com/ProgVal/Limnoria">Limnoria</a> and <a href="http://sourceforge.net/apps/mediawiki/gribble/index.php?title=Main_Page">Gribble</a>, which are actively developed and have fixed these issues. If you want permanent solution, you should install either of them.</p> <p>I recommend <a href="https://github.com/ProgVal/Limnoria">Limnoria</a>, because it seems to be more active (activity of <a href="http://sourceforge.net/apps/mediawiki/gribble/index.php?title=Main_Page">Gribble</a> isn't announced anywhere) and it has additional commands, translations and new plugin called <a href="https://github.com/ProgVal/Limnoria/tree/master/plugins/PluginDownloader">PluginDownloader</a>, which makes installing of 3rd party plugins easy.</p> <p><strong>If you use Debian/Ubuntu or any Debian based distribution, you can get <a href="http://builds.progval.net/limnoria/limnoria-master-HEAD.deb">stable version of Limnoria here</a> or <a href="http://builds.progval.net/limnoria/limnoria-testing-HEAD.deb">testing version here</a>.</strong></p> <p>The links above should always be the latest version of Limnoria and they are updated daily.</p> <p><a href="http://sourceforge.net/apps/mediawiki/gribble/index.php?title=Gribble_Project_Git_Repository">Gribble modifications when compared to Supybot.</a></p> <p><a href="https://github.com/ProgVal/Limnoria/wiki/LGC">Limnoria modifications when compared to Gribble.</a> Features of Gribble have been fully merged to Limnoria.</p> <p>Your current botname.conf is <strong>100% compatible with forks</strong>.</p> <p><a href="irc://irc.freenode.net/#supybot,#gribble,#limnoria">Join Supybot channels on freenode!</a></p> <p><a href="https://github.com/Mkaysi/mkaysi.github.com/commits/master/IRC/Supybot.html.md">Changelog of this page.</a></p> <hr/> <div id="disqus_thread"></div> <script type="text/javascript"> /* * * CONFIGURATION VARIABLES: EDIT BEFORE PASTING INTO YOUR WEBPAGE * * */ var disqus_developer = 0; var disqus_url = 'http://mkaysi.github.com/IRC/Supybot.html'; var disques_title = 'Security issues of Supybot'; var disqus_shortname = 'mkaysishomepage'; // required: replace example with your forum shortname /* * * DON'T EDIT BELOW THIS LINE * * */ (function() { var dsq = document.createElement('script'); dsq.type = 'text/javascript'; dsq.async = true; dsq.src = 'http://' + disqus_shortname + '.disqus.com/embed.js'; (document.getElementsByTagName('head')[0] || document.getElementsByTagName('body')[0]) .appendChild(dsq); })(); </script> <noscript> Please enable JavaScript to view the <a href="http://disqus.com/?ref_noscript">comments powered by Dis qus.</a> </noscript> <p> <a href="http://disqus.com" class="dsq-brlink">comments powered by <span class="logo-disqus">Disqus </span></a> </p> <!-- vim : set ft=html --> <meta http-equiv="X-UA-Compatible" content="chrome=1"> <html> <body> <script type="text/javascript" src="http://ajax.googleapis.com/ajax/libs/chrome-frame/1/CFInstall.min.js"></script> <style> /* CSS rules to use for styling the overlay: .chromeFrameOverlayContent .chromeFrameOverlayContent iframe .chromeFrameOverlayCloseBar .chromeFrameOverlayUnderlay */ </style> <script> // You may want to place these lines inside an onload handler CFInstall.check({ mode: "overlay", url: "https://www.google.com/intl/en/chrome/business/browser/chromeframe.html" }) </script> </body> </html>