.A remote attacker could entice an Eggdrop user to connect the bot to a malicious server, possibly resulting in the execution of arbitrary code on the host running Eggdrop.
This is the new home of the egghelp.org community forum.
All data has been migrated (including user logins/passwords) to a new phpBB version.
For more information, see this announcement post. Click the X in the top right-corner of this box to dismiss this message.
All data has been migrated (including user logins/passwords) to a new phpBB version.
For more information, see this announcement post. Click the X in the top right-corner of this box to dismiss this message.
Possible expliot in eggdrop's server module?
Possible expliot in eggdrop's server module?
I came across this a few minuets ago http://forums.gentoo.org/viewtopic-t-582983.html Here's a quote from the post
It is a known issue, and have been reported to eggheads since long.
I believe there are several different patches for it aswell.
http://bugzilla.eggheads.org/show_bug.cgi?id=462
I believe there are several different patches for it aswell.
http://bugzilla.eggheads.org/show_bug.cgi?id=462
NML_375
That would be gentoo's patched package... the eggdrop you would download from eggheads is indeed flawed with this bug.
The impact of this bug might be argued, as it would require an attacker to manipulate an user to use a malicious server. Still it's fully exploitable under those conditions. I assume the patch is saved for a future release of 1.6.19, although I don't know if it has been added to the cvs-repository..
The impact of this bug might be argued, as it would require an attacker to manipulate an user to use a malicious server. Still it's fully exploitable under those conditions. I assume the patch is saved for a future release of 1.6.19, although I don't know if it has been added to the cvs-repository..
NML_375
Thanks, I haven't checked if this is in the cvs version of eggdrop, as thats the only version i tend to be using these days. 
sorry, didn't check the bugzilla, thou i had thought that this bug might of been reported already so i thought i would like to know a bit more about the seriousness of the expliot. thought i've seen alot of projects these days that have problems with expliots in there code. Like anope irc services having alot of problems with there mysql, in my opinion that really caused them alot of bother. After thinking this through and the means which it takes to expliot eggdrop this way. I would assume that it would probably not happen unless you went to alot of trouble to make it happen. What do you guys think?
ThanksSo there's nothing to be afraid of if you use the most recent version of Eggdrop (currently 1.6.18).
It is a known issue, and have been reported to eggheads since long.
I believe there are several different patches for it aswell.
sorry, didn't check the bugzilla, thou i had thought that this bug might of been reported already so i thought i would like to know a bit more about the seriousness of the expliot. Yes, i agree. And can see the point, thou i could still say that possibity is deffonatly still out there as there have been troubles with dns fowards to an differant server from some network address.The impact of this bug might be argued, as it would require an attacker to manipulate an user to use a malicious server. Still it's fully exploitable under those conditions.
Hope soI assume the patch is saved for a future release of 1.6.19, although I don't know if it has been added to the cvs-repository..
thought i've seen alot of projects these days that have problems with expliots in there code. Like anope irc services having alot of problems with there mysql, in my opinion that really caused them alot of bother. After thinking this through and the means which it takes to expliot eggdrop this way. I would assume that it would probably not happen unless you went to alot of trouble to make it happen. What do you guys think?My opinion, is that it should be tended to as soon as possible. Serious or not, it should be sorted out to no blacken eggdrop's name any further..
However, as I've been made to understand, eggheads devteam really could use some new coders with time/inspiration to work with the code.
Many projects like eggdrop depend on new coders, as people tend to less time to spend as years pass.
edit:
I've just been digging through the commitlogs of the cvs-repository, and have not seen any traces of this being patched sofar.. Only update in 2007 regarding 1.6 seems to be changing the Copyright date to 2007
However, as I've been made to understand, eggheads devteam really could use some new coders with time/inspiration to work with the code.
Many projects like eggdrop depend on new coders, as people tend to less time to spend as years pass.
edit:
I've just been digging through the commitlogs of the cvs-repository, and have not seen any traces of this being patched sofar.. Only update in 2007 regarding 1.6 seems to be changing the Copyright date to 2007
NML_375
Yes, well saidMy opinion, is that it should be tended to as soon as possible. Serious or not, it should be sorted out to no blacken eggdrop's name any further..
I've tryed the patch from the bugzilla url you posted, ty for that btw. I used it patch the latest cvs version of eggdrop1.6I've just been digging through the commitlogs of the cvs-repository, and have not seen any traces of this being patched sofar.. Only update in 2007 regarding 1.6 seems to be changing the Copyright date to 2007
so works great~/eggdrop1.6 $ patch -p0 < 01_CVE-2007-2807_servmsg.patch
patching file src/mod/server.mod/servmsg.c
~/eggdrop1.6 $
I'm not good at this myself but i would love to helpHowever, as I've been made to understand, eggheads devteam really could use some new coders with time/inspiration to work with the code.
Many projects like eggdrop depend on new coders, as people tend to less time to spend as years pass.
I never really knew there was still a need for coders since there was so much dev going on with the eggdrop1.9 branch 
sorry :/ Thanks for your input nml375 
tis really apreshiated.
Well nml375 you stand out as a good candidate for the eggheads devteam, given the time.nml375 wrote: However, as I've been made to understand, eggheads devteam really could use some new coders with time/inspiration to work with the code.
Many projects like eggdrop depend on new coders, as people tend to less time to spend as years pass.
·awyeah·
==================================
Facebook: jawad@idsia.ch (Jay Dee)
PS: Guys, I don't accept script helps or requests personally anymore.
==================================
==================================
Facebook: jawad@idsia.ch (Jay Dee)
PS: Guys, I don't accept script helps or requests personally anymore.
==================================
I must also say the same for myself, studies, work, family, friends and other chores keep my agenda full daily almost on weekdays and on weekends. As apart for the devteam, I don't think am really that capable also.
But I do hope in the future there still will be progress on the eggdrop project and newer versions would come out, eventhough its like a still project since the devteam doesnt have enough people and they are also busy with their lives and don't have time for their aside hobbies; eggdrop development.
But I do hope in the future there still will be progress on the eggdrop project and newer versions would come out, eventhough its like a still project since the devteam doesnt have enough people and they are also busy with their lives and don't have time for their aside hobbies; eggdrop development.
·awyeah·
==================================
Facebook: jawad@idsia.ch (Jay Dee)
PS: Guys, I don't accept script helps or requests personally anymore.
==================================
==================================
Facebook: jawad@idsia.ch (Jay Dee)
PS: Guys, I don't accept script helps or requests personally anymore.
==================================
Question 1:
Only an malicious server could use that bug to execute code on remote?
Question 2:
Is there a version without that bug yet? Or can you advice some bundle like eggdrop version x + patch?
Only an malicious server could use that bug to execute code on remote?
Question 2:
Is there a version without that bug yet? Or can you advice some bundle like eggdrop version x + patch?
socketapi | Code less, create more.
1:
To my best knowledge, only malicious servers would permit the sending of such large messages, but with the huge flora of modified ircd-software out there these days, I cannot give a 100% guarantee that non-malicious servers cannot be used to relay messages exploiting this bug.
2:
1.6.18 + the patch included in the bugzilla link posted earlier
To my best knowledge, only malicious servers would permit the sending of such large messages, but with the huge flora of modified ircd-software out there these days, I cannot give a 100% guarantee that non-malicious servers cannot be used to relay messages exploiting this bug.
2:
1.6.18 + the patch included in the bugzilla link posted earlier
NML_375
- LordSephiroth
- Voice
- Posts: 4
- Joined: Thu Sep 20, 2007 1:46 pm
- Location: McLean, VA
Since I was the one that found this, I'll comment on it and explain it. My intentions of reporting it weren't exactly what came of it, which I will explain it a moment.
First, the vulnerability MUST be exploited from a malicious server. The advisories listed are somewhat-correct, but mostly incorrect. The message itself doesn't have to be overly long, but the nick/user/hostname does. It uses an unchecked strcpy() to copy the data into a small stack variable, obviously resulting in a stack overflow. So, like I said in the Bugzilla posting, you could open a netcat listener, connect the bot to it and send this string:
:AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAABBBB PRIVMSG Lamestbot :test
That (should) overwrite the instruction pointer with 0x42424242 (BBBB), which would allow an attacker to execute arbitrary code. The large number of A's is where the nick!user@host would normally be.
My intention with reporting this was for the devs to see the many variants of this vulnerability in the eggdrop code. I didn't bother recording or reporting them all, but I spent about 30 minutes flipping through the code and ran across several others that could be exploited in a similar fashion. I've been meaning to go back through them all and release a patch, but I just haven't had time.
As for the seriousness, it isn't that critical because it does require some social engineering to exploit. You would have to connect your bot (or someone from the partyline would) to a malicious 'server' that would then exploit the vulnerability. Granted, there are other attacks that could be used to facilitate this attack, but they all require the bot to connect to a malicious listener at some point. I use the word server lightly, because all it has to be is a malicious listener and doesn't need to be an IRCd.
I hope that helps. I've been meaning to go through and do a full audit of the eggy code, but like I said, I just haven't had the time and it didn't seem to me like there would be much interest in doing so.
EDIT: changed some things around (1:56 PM EST, Sept. 20th 2007)
EDIT #2:
Sorry, I edit a lot :p Last one, I hope...
I have followed this bug somewhat since I released it a few months ago, IIRC NetBSD was the first to release a patch, I saw the Gentoo patch a few days ago, but I haven't seen an 'official' patch from the eggie devs.
First, the vulnerability MUST be exploited from a malicious server. The advisories listed are somewhat-correct, but mostly incorrect. The message itself doesn't have to be overly long, but the nick/user/hostname does. It uses an unchecked strcpy() to copy the data into a small stack variable, obviously resulting in a stack overflow. So, like I said in the Bugzilla posting, you could open a netcat listener, connect the bot to it and send this string:
:AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAABBBB PRIVMSG Lamestbot :test
That (should) overwrite the instruction pointer with 0x42424242 (BBBB), which would allow an attacker to execute arbitrary code. The large number of A's is where the nick!user@host would normally be.
My intention with reporting this was for the devs to see the many variants of this vulnerability in the eggdrop code. I didn't bother recording or reporting them all, but I spent about 30 minutes flipping through the code and ran across several others that could be exploited in a similar fashion. I've been meaning to go back through them all and release a patch, but I just haven't had time.
As for the seriousness, it isn't that critical because it does require some social engineering to exploit. You would have to connect your bot (or someone from the partyline would) to a malicious 'server' that would then exploit the vulnerability. Granted, there are other attacks that could be used to facilitate this attack, but they all require the bot to connect to a malicious listener at some point. I use the word server lightly, because all it has to be is a malicious listener and doesn't need to be an IRCd.
I hope that helps. I've been meaning to go through and do a full audit of the eggy code, but like I said, I just haven't had the time and it didn't seem to me like there would be much interest in doing so.
EDIT: changed some things around (1:56 PM EST, Sept. 20th 2007)
EDIT #2:
Sorry, I edit a lot :p Last one, I hope...
I have followed this bug somewhat since I released it a few months ago, IIRC NetBSD was the first to release a patch, I saw the Gentoo patch a few days ago, but I haven't seen an 'official' patch from the eggie devs.
- LordSephiroth
- Voice
- Posts: 4
- Joined: Thu Sep 20, 2007 1:46 pm
- Location: McLean, VA