CVE-2019-19010
📋 TL;DR
This vulnerability allows remote unauthenticated attackers to execute arbitrary code via eval injection in the Math plugin of Limnoria and Supybot IRC bots. Attackers can use the calc and icalc IRC commands to disclose sensitive information or potentially gain full control of affected systems. Anyone running vulnerable versions of Limnoria (before 2019.11.09) or Supybot (through 2018-05-09) is affected.
💻 Affected Systems
- Limnoria
- Supybot
📦 What is this software?
Fedora by Fedoraproject
Fedora by Fedoraproject
Fedora by Fedoraproject
Limnoria by Limnoria Project
⚠️ Risk & Real-World Impact
Worst Case
Remote code execution leading to complete system compromise, data exfiltration, and botnet recruitment.
Likely Case
Information disclosure and limited code execution within the IRC bot's context, potentially escalating to full system access.
If Mitigated
No impact if the Math plugin is disabled or proper input validation is implemented.
🎯 Exploit Status
Exploitation requires sending specially crafted IRC commands to the bot. Public proof-of-concept exists in advisory links.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Limnoria: 2019.11.09 or later; Supybot: versions after 2018-05-09
Vendor Advisory: https://github.com/ProgVal/Limnoria/wiki/math-eval-vulnerability
Restart Required: Yes
Instructions:
1. Update Limnoria: pip install --upgrade limnoria
2. Update Supybot: pip install --upgrade supybot
3. Restart the IRC bot service
4. Verify the Math plugin is updated to patched version
🔧 Temporary Workarounds
Disable Math Plugin
allTemporarily disable the vulnerable Math plugin to prevent exploitation
/msg botname config plugins.math.enable false
Restrict IRC Access
allLimit who can send commands to the bot
Configure IRC bot to only accept commands from trusted users/channels
🧯 If You Can't Patch
- Disable the Math plugin immediately using configuration commands
- Implement network segmentation to isolate the IRC bot from sensitive systems
🔍 How to Verify
Check if Vulnerable:
Check if Math plugin is enabled and version is vulnerable: /msg botname versionCheck Version:
python -c "import supybot; print(supybot.__version__)" or check bot response to version commandVerify Fix Applied:
Verify Limnoria version is >= 2019.11.09 or Supybot version > 2018-05-09📡 Detection & Monitoring
Log Indicators:
- Unusual calc/icalc commands in IRC logs
- Python eval() errors or unexpected code execution
Network Indicators:
- IRC traffic containing suspicious mathematical expressions with Python code
SIEM Query:
source="irc.logs" AND (command="calc" OR command="icalc") AND message="*__import__* OR *eval* OR *exec*"🔗 References
- https://github.com/ProgVal/Limnoria/commit/3848ae78de45b35c029cc333963d436b9d2f0a35
- https://github.com/ProgVal/Limnoria/wiki/math-eval-vulnerability
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/54CQM2TEXRADLE77VOMCPHL5PBHR3ZWJ/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/5P2AGND54UIJV3WHOYO2YINIXSDGAAPO/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/DRNOUHFEN75QAIKT4Y3HDN3TT5LSIWN2/
- https://github.com/ProgVal/Limnoria/commit/3848ae78de45b35c029cc333963d436b9d2f0a35
- https://github.com/ProgVal/Limnoria/wiki/math-eval-vulnerability
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/54CQM2TEXRADLE77VOMCPHL5PBHR3ZWJ/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/5P2AGND54UIJV3WHOYO2YINIXSDGAAPO/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/DRNOUHFEN75QAIKT4Y3HDN3TT5LSIWN2/
