09:05 |
awt |
http://logs.bitdash.io/pest/2022-10-05#1013925 << afaict this hypothesis was incorrect. % commands are only processed from the operator. |
09:05 |
bitbot |
Logged on 2022-10-05 16:25:36 asciilifeform[5]: looking in awt's client.py, saw 'notice_and_privmsg_handler()', where in fact looks for pest cmds in... privmsg's from ~both~ directions?! wai?!~! |
09:07 |
awt |
My current understanding is that the bug jonsykkel successfully exploited was that blatta doesn't escape incoming messages for irc commands. |
09:08 |
jonsykkel |
yes iirc %commands didnt have an efect |
09:11 |
awt |
jonsykkel: how do you escape incoming messages? |
09:11 |
jonsykkel |
was rather irc comands ie \r\n:part #pest someone |
09:12 |
jonsykkel |
awt: i just reject if contains \r or \n |
09:13 |
jonsykkel |
cant remember if spec says anyhting re this |
09:14 |
awt |
jonsykkel: yes I don't recall if multiline messages are allowed. |
| |
~ 1 hours 23 minutes ~ |
10:37 |
phf |
http://logs.nosuchlabs.com/log/pest/2022-12-27#1019516 << not sure which bug jonsykkel exploited, but the bug that you quoted, and asciilifeform made a hypotheses about was later exploited by me, and i also provide an explanation |
| |
↖ |
10:37 |
dulapbot |
Logged on 2022-12-27 09:06:11 awt[asciilifeform]: My current understanding is that the bug jonsykkel successfully exploited was that blatta doesn't escape incoming messages for irc commands. |
10:39 |
phf |
actually maybe i didn't explain it, tthe bug is that pest allows newlines in messages, but irc protocol doesn't. so if you simply passthrough a message with newline, everything after newline becomes part of stream from pest to irc client |
| |
↖ |
10:40 |
phf |
i think the correct solution is to split a pest message by newlines, and send each line as a separate privmsg to client |
| |
↖ |
10:42 |
awt |
phf: hm yes that makes sense. |
10:45 |
awt |
http://logs.bitdash.io/pest/2022-12-27#1019456 << asciilifeform's report was that blatta was looking for *pest* commands in incoming messages, which is not the case. |
| |
↖ |
10:45 |
bitbot |
Logged on 2022-12-27 10:37:33 phf[awt]: http://logs.nosuchlabs.com/log/pest/2022-12-27#1019516 << not sure which bug jonsykkel exploited, but the bug that you quoted, and asciilifeform made a hypotheses about was later exploited by me, and i also provide an explanation |
10:45 |
dulapbot |
Logged on 2022-12-27 09:06:11 awt[asciilifeform]: My current understanding is that the bug jonsykkel successfully exploited was that blatta doesn't escape incoming messages for irc commands. |
10:47 |
phf |
his report was an invalid interpretation of the same original bug log we both looked at, and at least as far as that log is concerned, his interpretation was invalid |
10:49 |
phf |
http://logs.bitdash.io/pest/2022-10-05#1013920 this particulalar log is the result of this http://logs.bitdash.io/pest/2022-12-27#1019458 issue only |
10:49 |
bitbot |
Logged on 2022-10-05 16:17:44 asciilifeform[6]: in otherlulz, lulzy sideffects of yest.'s blatta bugola. |
10:49 |
bitbot |
Logged on 2022-12-27 10:39:49 phf[awt]: actually maybe i didn't explain it, tthe bug is that pest allows newlines in messages, but irc protocol doesn't. so if you simply passthrough a message with newline, everything after newline becomes part of stream from pest to irc client |
10:51 |
awt |
Ah yes ok - missed that paste. |
10:55 |
shinohai |
$vwap |
11:10 |
busybot |
The 24-Hour VWAP for BTC is $ 16760.35 USD |
11:11 |
phf |
ah jonsykkel's exploitation is the same one http://logs.bitdash.io/pest/2022-10-05#1013992 |
11:11 |
bitbot |
Logged on 2022-10-05 19:38:06 phf[awt]: fyi http://glyf.org/screenshots/pest-multiline.png |
11:19 |
jonsykkel |
indeed |
| |
~ 1 hours 48 minutes ~ |
13:07 |
asciilifeform |
http://logs.bitdash.io/pest/2022-12-27#1019461 << possibly asciilifeform is thick, but from notice_and_privmsg_handler() still appears that 'if message[0] == "%"' kicks in regardless of what direction message is going (irc->pestron or reverse) ? |
13:07 |
bitbot |
Logged on 2022-12-27 10:45:30 awt: http://logs.bitdash.io/pest/2022-12-27#1019456 << asciilifeform's report was that blatta was looking for *pest* commands in incoming messages, which is not the case. |
13:08 |
asciilifeform |
still needs the newline thing to set it off, cuz otherwise the '%'-prefixed incoming msg doesn't match any useful command, afaik |
13:08 |
phf |
poc or gtfo? |
13:09 |
* |
asciilifeform looks again at phf's description of his poc |
13:10 |
* |
asciilifeform unfortunately does not atm have a phf-style hand-cranked pest packet shooter handy |
13:11 |
asciilifeform |
iirc jonsykkel tried sending msgs with '%' at pos0, asciilifeform saw invalid cmd barf in local log then |
13:13 |
asciilifeform |
phf: if you've the cycles, can plox send out e.g. '%at' ? |
13:13 |
jonsykkel |
%peer hitler |
13:13 |
phf |
i'm not playing this game again, you'r interpretation is incorrect |
13:14 |
asciilifeform |
awt: what am i missing re the pasted py routine ? from jonsykkel above, clear that it doesn't behave as asciilifeform supposed, but not obv wai |
13:16 |
jonsykkel |
123 |
13:16 |
asciilifeform |
%peer stalin |
13:16 |
asciilifeform |
phf: yer quite evidently right that it was 'red herring', but would like to know why |
13:16 |
asciilifeform |
lol jonsykkel what didja do there ? |
13:16 |
asciilifeform |
13:15:02 asciilifeform | %peer stalin |
13:16 |
jonsykkel |
asciilifeform: \r\n trick |
13:16 |
asciilifeform |
aaa |
13:17 |
asciilifeform |
as phf described |
13:17 |
asciilifeform |
but '%' trick dun work, even tho seems that oughta from the coad. asciilifeform insufficient pythonist to see why, tho |
| |
↖ |
13:25 |
asciilifeform |
http://logs.bitdash.io/pest/2022-12-27#1019459 << imho oughta terminate at newline, rather than split (maintain 1:1 pest msg to irc msg) but possibly not matters if the irc frontend is 1foot in grave already |
13:25 |
bitbot |
Logged on 2022-12-27 10:40:15 phf[awt]: i think the correct solution is to split a pest message by newlines, and send each line as a separate privmsg to client |
13:38 |
phf |
that means that entirely valid multiline pest messages will result in information loss on irc clients |
13:38 |
phf |
http://logs.nosuchlabs.com/log/pest/2022-12-27#1019560 << but that's nothing to do with python. the only place where irc pest ought to be parsing privmsg's in general is when receiving from irc client of the station operator, so it makes sense for there to be only one handler, hardcoded for message[0]=='%' etc |
13:38 |
asciilifeform |
phf: tru |
13:38 |
dulapbot |
Logged on 2022-12-27 13:16:32 asciilifeform: but '%' trick dun work, even tho seems that oughta from the coad. asciilifeform insufficient pythonist to see why, tho |
13:39 |
* |
asciilifeform not much cares in either direction; irc frontend 'delenda est' imho |
13:39 |
asciilifeform |
either is over9000x better than the old behaviour tho |
13:40 |
phf |
i have an ugly hack in my pest, which makes messages-> |
13:41 |
phf |
bump |
13:41 |
phf |
whoops, i used wrong broadcast function.. |
13:42 |
phf |
i have an ugly hack in my pest, which makes messages-> |
13:42 |
phf |
like this into mutliple pest messages. i'd like to remove it and send-> |
13:42 |
phf |
proper multline messages instead :> |
13:46 |
awt |
http://logs.bitdash.io/pest/2022-12-27#1019493 << Doesn't work because incoming messages all go to the __writebuffer variable which goes directly to the client and doesn't feed into notice_and_privmsg_handler(). |
13:46 |
bitbot |
Logged on 2022-12-27 13:17:42 asciilifeform[6]: but '%' trick dun work, even tho seems that oughta from the coad. asciilifeform insufficient pythonist to see why, tho |
13:47 |
asciilifeform |
a! |