Vulnerability in all telegram-bot-bash Versions up to 0.94, *UPDATE NOW*

[gnadelwartz]

All versions up to 0.94 are vulnerable by a shell variable expansion bug, allowing remote code execution as the user running telegram-bot-bash

The bug is fixed in Release 0.941 and 0.96-dev-8, pls UPDATE NOW

Workaround

In case you cannot update, e.g. you modified bashbot.sh or rely on a feature not working in current releases, apply the following modification to your bashbot.sh file:

locate the line containing "UPDATE=`curl  $UPD_URL$OFFSET ..." or "UPDATE="$(getJson..."
and add the following line after it:

	UPDATE="${UPDATE//$/\\$}"

this is how it should look like (from 0.941)
 
	UPDATE="$(getJson "$UPD_URL$OFFSET" | "${JSONSHFILE}" -s -b -n | iconv -f utf-8 -t utf-8 -c)"
	UPDATE="${UPDATE//$/\\$}"

Description

We did not follow the most important rule for programming: Do not trust external or user input!

Even we does extensive testing, quoting and disable globbing, we forgot to protect Input for the most powerful, but also dangerous feature of a shell: Variable and command expansion!

Solution

Escape every $ in Telegram updates, not only in user input but also in everything received from telegram.

From first tests this will not break telegram-bot-bash functionality, but may require adaptions if you test for existence of $ in a telegram message.

Test

to test if your bot is affected send him command containing $$ and echo the message:

e.g.:

...
     '/echo'*) send_normal_message "{CHAT[ID]}" "${MESSAGE}" ;;
...

/echo $$

if the bot send echo "/echo $$" everything is OK,
if not he will send the current bashbot process number:

/echo 123455

[gnadelwartz]

Notify: @topkecleon @danogentili

@JuanPotato @BigNerd95 @TiagoDanin @iicc1

@massive91 @Azat868 @alohawolf @devilmind81 @jrettsch @amontigita @x23piracy @RanjidTatu @momohammadi @mr-butch @NeverBehave @adamramadhan

[gnadelwartz]

PLS check if your fork of telegram-bot-bash is also vulnerable ...

Notify all forks:
@1715173329 @5l1v3r1 @alegzz @alfmannew @andrea993 @AToMiXhawK @auino @avvount @Berryamin @c3314o @Cloudxtreme @CoinGardenMining @cwalter9 @danielgusmao @DasenB @daxcor @DevOps-UA @dimoca @dimonchoo @DJey @doytsujin @droboshok @drudrum @duslabo @envieid0c @estrigliz @FacuM @Floryder @fossler @gabri15 @Grey-Soft @hatsuyuki280 @houkop @inscriptionweb @j0nk0 @j4ackwolf @jensGiehl @juppin @jvarg @krishna4291083 @krtpowa @kyslenko111vk @ldsemerenko @m4h4n @mavnezz @Mbytes @mh4nx7net @MyTelegram @nacita @neolinux @otgo @patlegu @Pavelivn @poldyaev @pro-boys @prshrn @RakibFiha @ripdamage @ryzhovau @rza-alizadeh @sadov @Someusefulstuff @tazhate @themrdave @tnul @vazenich @wiwi936 @wrootlocal @wrxck @WwShahabsafwW @xenon007 @Yash089610 @zouzouek @Zypan

[gnadelwartz]

hopefully everyone mentioned fixed the bug ...

[gnadelwartz]

fixed for new v1.40 feature webhook in V1.41 also