Open in app

Sign in

Write

Sign in

Rowboat and CVE-2017–18342

Tristan Farkas
2 min readJul 23, 2019

--

Rowboat, a now archived project has been self hosted by third parties and these are so called “clones.” Even though its old this tool is used by the largest Discord communities and is vulnerable to CVE-2017–18342 an issue with pyyaml’s loading function in versions before 5.1 that allowed for arbitrary code execution upon loading a YAML file. But why is this an issue with rowboat?

To understand that we’re going to need to have a look at how rowboat works. If you’re a moderator that use a rowboat clone and have the abillity to edit the config you have access to this:

Rowboat configuration panel, with a text box that allows you to input YAML.
A rowboat clones configuration panel.

So rowboat publically exposes a YAML file that we configure the bot with, something that makes configuration more advanced Let’s see if we can attempt to exploit CVE-2017–18342 from this panel? So to test this i set the prefix paramater to referr to the python function os.system()and tell the function to echo text to /opt/rowboat/test.md

Here’s a simple proof of concept:

commands:
 prefix: !!python/object/apply:os.system [“echo ‘Rowboat is vulnerable to CVE 2017 18342’ > /opt/rowboat/test.md”]

so did it work? Lets check:

An image from a console showing an executed cat command to show a text file placed in /opt/rowboat/test.md.
Ouch.

This is bad, rowboat is loading user provided YAML files using the insecure yaml load method, which lets us execute whatever we want to. As soon as I found out about this issue I contact the other rowboat clone maintainers that I have some form of contact with and the largest clones were all patched up in just a bit over an hour.

I‘ve been told by the following clones that they all have now patched this issue:

  • HepBoat
  • Aperture
  • Rawgoat
  • Jetski
  • Flygbåt
  • Speedboat
  • LMG Floatboat

(I do not approve nor recommend any of these bots, I’ve only been told be their respective managers that they’ve patched the issue.)

Sadly a few still are yet to be patched, if you are a rowboat clone maintainer here’s the easiest way to do it:
Bump your version of pyyaml to the latest version available, that no longer uses the unsafe method to load configs and has no breaking changes with rowboat. Once that is done you should no longer be vulnerable to these issues.

If you liked this article feel free to 👏 it.
Also make sure to follow me on Twitter for more updates on this and other issues: https://twitter.com/TristanAtFarkas

Thanks for reading!

Discord
Security

--

--

Tristan Farkas

Written by Tristan Farkas

29 Followers

Help

Status

About

Careers

Press

Blog

Privacy

Terms

Text to speech

Teams