<!DOCTYPE html>
<html>
<head>
<meta charset="UTF-8" /> <meta name="description" content="Supybot security issues," /> <meta name="keywords" content="Security,Issues,Supybot,crash,Debian,Ubuntu,IRC" /> <meta name="author" content="Mika Suomalainen" /> <link rel="canonical" href="http://mkaysi.github.com/IRC/Supybot.html">
<title>
Security issues of Supybot
</title>
<link rel="stylesheet" type="text/css" href="../tyyli.css" />
</head>
<body>
<hr/>
<a href="../sitemap/sitemap.html">Sitemap</a>
<hr/>
<p><em>If you are looking for web interface of my bot (known as Supybot on freenode), click <a href="OtusBot.html">here.</a></em></p>
<h1 id="latest-version-of-supybot-was-released-in-2005">Latest version of Supybot was released in 2005</h1>
<p>All activity happens in git repository of Supybot nowadays and it happens seldomly. The version, which was released in 2005 is 0.83.4.1.</p>
<p>It's available from <a href="http://supybot.sf.net/">SourceForge</a>, Debian repositories, Ubuntu repositories and repositories of many other Linux distributions.</p>
<h1 id="has-critical-issues">0.83.4.1 has critical issues</h1>
<p>What issues?</p>
<h2 id="anyone-can-crash-it-and-computer-where-its-running-on">1. Anyone can crash it and computer where it's running on</h2>
<p>And this is very easy. Just run the command</p>
<pre><code>!misc last --regexp m/(.*\w){512}/</code></pre>
<p>where ! is the prefix character.</p>
<p>Misc is loaded by default and cannot be unloaded without modifying the config.</p>
<h2 id="the-previous-wasnt-the-only-way-to-do-this">2. The previous wasn't the only way to do this</h2>
<p>Everyone can also make the bot count an equation, which brings it and the host computer down.</p>
<p>For example:</p>
<pre><code>!math calc factorial(999999)</code></pre>
<h2 id="anyone-can-access-network-services-via-the-bot.">3. Anyone can access network services via the bot.</h2>
<p>I don't have example command for this, but it happens by nesting "format cut" and "misc tell".</p>
<p>What does this mean? Anyone can tell the bot to ghost someone else on same account, take over a channel by telling the bot to give flags (if it has correct flags), change password of the account and everything else what you do with network services.</p>
<h2 id="web-page-with-special-characters-in-title-can-be-used-to-send-dccctcp-commands.">4. Web page with special characters in title can be used to send DCC/CTCP commands.</h2>
<p>This doesn't mean only things like CTCP actions (also known as /me), but known problems with old routers ( FF ? DCC SEND “ff???f??????????????” 0 0 0 ) which make them reconnect to the internet.</p>
<p>Usage:</p>
<pre><code>!web title <malicious.page.here>
!web fetch <malicious.page.here></code></pre>
<p>Note that web fetch is disabled by default.</p>
<p>This is currently* fixed only in Limnoria's testing version.</p>
<p>*See the changelog link at bottom. Currently means 18:04 (UTC) on 2012-10-31.</p>
<h1 id="are-these-issues-publicly-known">Are these issues publicly known?</h1>
<p><STRONG>Of course they are.</strong> They have been reported to</p>
<ol class="incremental" style="list-style-type: decimal">
<li><p><a href="http://ubuntu.com/">Ubuntu</a>, <a href="http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=672214">issue 1</a> and <a href="http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=672215">issue 2</a></p></li>
<li><p><a href="http://debian.org/">Debian</a>, <a href="http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=672214">issue 1</a> and <a href="http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=672215">issue 2</a>.</p></li>
</ol>
<p>The first issue has been also used to take down some of <a href="https://wiki.ubuntu.com/IRC/Bots">Ubuntu IRC bots</a> several times. At least UbotX (I don't remember the number) and meetingology.</p>
<ol class="incremental" start="3" style="list-style-type: decimal">
<li>to their IRC channel.</li>
</ol>
<p>Some of them are fixed in git repository, but most people aren't using it.</p>
<h2 id="how-to-avoid-them">How to avoid them?</h2>
<p>You can add anticapability for these commands using "owner defaultcapability", but that is only a temporary solution. There can also be other issues.</p>
<p>There are also two active Supybot forks, known as <a href="https://github.com/ProgVal/Limnoria">Limnoria</a> and <a href="http://sourceforge.net/apps/mediawiki/gribble/index.php?title=Main_Page">Gribble</a>, which are actively developed and have fixed these issues. If you want permanent solution, you should install either of them.</p>
<p>I recommend <a href="https://github.com/ProgVal/Limnoria">Limnoria</a>, because it seems to be more active (activity of <a href="http://sourceforge.net/apps/mediawiki/gribble/index.php?title=Main_Page">Gribble</a> isn't announced anywhere) and it has additional commands, translations and new plugin called <a href="https://github.com/ProgVal/Limnoria/tree/master/plugins/PluginDownloader">PluginDownloader</a>, which makes installing of 3rd party plugins easy.</p>
<p><strong>If you use Debian/Ubuntu or any Debian based distribution, you can get <a href="http://builds.progval.net/limnoria/limnoria-master-HEAD.deb">stable version of Limnoria here</a> or <a href="http://builds.progval.net/limnoria/limnoria-testing-HEAD.deb">testing version here</a>.</strong></p>
<p>The links above should always be the latest version of Limnoria and they are updated daily.</p>
<p><a href="http://sourceforge.net/apps/mediawiki/gribble/index.php?title=Gribble_Project_Git_Repository">Gribble modifications when compared to Supybot.</a></p>
<p><a href="https://github.com/ProgVal/Limnoria/wiki/LGC">Limnoria modifications when compared to Gribble.</a> Features of Gribble have been fully merged to Limnoria.</p>
<p>Your current botname.conf is <strong>100% compatible with forks</strong>.</p>
<p><a href="irc://irc.freenode.net/#supybot,#gribble,#limnoria">Join Supybot channels on freenode!</a></p>
<p><a href="https://github.com/Mkaysi/mkaysi.github.com/commits/master/IRC/Supybot.html.md">Changelog of this page.</a></p>
<hr/>
<div id="disqus_thread"></div>
<script type="text/javascript">
/* * * CONFIGURATION VARIABLES: EDIT BEFORE PASTING INTO YOUR WEBPAGE * * */
var disqus_developer = 0;
var disqus_url = 'http://mkaysi.github.com/IRC/Supybot.html';
var disques_title = 'Security issues of Supybot';
var disqus_shortname = 'mkaysishomepage'; // required: replace example with your forum shortname
/* * * DON'T EDIT BELOW THIS LINE * * */
(function() {
var dsq = document.createElement('script'); dsq.type = 'text/javascript'; dsq.async =
true;
dsq.src = 'http://' + disqus_shortname + '.disqus.com/embed.js';
(document.getElementsByTagName('head')[0] || document.getElementsByTagName('body')[0])
.appendChild(dsq);
})();
</script>
<noscript>
Please enable JavaScript to view the <a href="http://disqus.com/?ref_noscript">comments powered by Dis qus.</a>
</noscript>
<p>
<a href="http://disqus.com" class="dsq-brlink">comments powered by <span class="logo-disqus">Disqus </span></a>
</p>
<!-- vim : set ft=html -->
<meta http-equiv="X-UA-Compatible" content="chrome=1">
<html>
<body>
<script type="text/javascript"
src="http://ajax.googleapis.com/ajax/libs/chrome-frame/1/CFInstall.min.js"></script>
<style>
/*
CSS rules to use for styling the overlay:
.chromeFrameOverlayContent
.chromeFrameOverlayContent iframe
.chromeFrameOverlayCloseBar
.chromeFrameOverlayUnderlay
*/
</style>
<script>
// You may want to place these lines inside an onload handler
CFInstall.check({
mode: "overlay",
url: "https://www.google.com/intl/en/chrome/business/browser/chromeframe.html"
})
</script>
</body>
</html>