This is the new home of the egghelp.org community forum.
All data has been migrated (including user logins/passwords) to a new phpBB version.


For more information, see this announcement post. Click the X in the top right-corner of this box to dismiss this message.

Possible expliot in eggdrop's server module?

Website and forum-related announcements and discussion, and anything else that doesn't fit in the above forums.
User avatar
TCL_no_TK
Owner
Posts: 509
Joined: Fri Aug 25, 2006 7:05 pm
Location: England, Yorkshire

Possible expliot in eggdrop's server module?

Post by TCL_no_TK »

I came across this a few minuets ago http://forums.gentoo.org/viewtopic-t-582983.html Here's a quote from the post
A remote attacker could entice an Eggdrop user to connect the bot to a malicious server, possibly resulting in the execution of arbitrary code on the host running Eggdrop.
.
n
nml375
Revered One
Posts: 2860
Joined: Fri Aug 04, 2006 2:09 pm

Post by nml375 »

It is a known issue, and have been reported to eggheads since long.
I believe there are several different patches for it aswell.

http://bugzilla.eggheads.org/show_bug.cgi?id=462
NML_375
User avatar
Sir_Fz
Revered One
Posts: 3794
Joined: Sun Apr 27, 2003 3:10 pm
Location: Lebanon
Contact:

Post by Sir_Fz »

Affected Packages

Package: net-irc/eggdrop
Vulnerable: < 1.6.18-r2
Unaffected: >= 1.6.18-r2
Architectures: All supported architectures
So there's nothing to be afraid of if you use the most recent version of Eggdrop (currently 1.6.18).
n
nml375
Revered One
Posts: 2860
Joined: Fri Aug 04, 2006 2:09 pm

Post by nml375 »

That would be gentoo's patched package... the eggdrop you would download from eggheads is indeed flawed with this bug.

The impact of this bug might be argued, as it would require an attacker to manipulate an user to use a malicious server. Still it's fully exploitable under those conditions. I assume the patch is saved for a future release of 1.6.19, although I don't know if it has been added to the cvs-repository..
NML_375
User avatar
TCL_no_TK
Owner
Posts: 509
Joined: Fri Aug 25, 2006 7:05 pm
Location: England, Yorkshire

Post by TCL_no_TK »

Thanks, I haven't checked if this is in the cvs version of eggdrop, as thats the only version i tend to be using these days.
So there's nothing to be afraid of if you use the most recent version of Eggdrop (currently 1.6.18).
Thanks :)
It is a known issue, and have been reported to eggheads since long.
I believe there are several different patches for it aswell.
:( sorry, didn't check the bugzilla, thou i had thought that this bug might of been reported already so i thought i would like to know a bit more about the seriousness of the expliot.
The impact of this bug might be argued, as it would require an attacker to manipulate an user to use a malicious server. Still it's fully exploitable under those conditions.
Yes, i agree. And can see the point, thou i could still say that possibity is deffonatly still out there as there have been troubles with dns fowards to an differant server from some network address.
I assume the patch is saved for a future release of 1.6.19, although I don't know if it has been added to the cvs-repository..
Hope so :) thought i've seen alot of projects these days that have problems with expliots in there code. Like anope irc services having alot of problems with there mysql, in my opinion that really caused them alot of bother. :( After thinking this through and the means which it takes to expliot eggdrop this way. I would assume that it would probably not happen unless you went to alot of trouble to make it happen. What do you guys think?
n
nml375
Revered One
Posts: 2860
Joined: Fri Aug 04, 2006 2:09 pm

Post by nml375 »

My opinion, is that it should be tended to as soon as possible. Serious or not, it should be sorted out to no blacken eggdrop's name any further..

However, as I've been made to understand, eggheads devteam really could use some new coders with time/inspiration to work with the code.
Many projects like eggdrop depend on new coders, as people tend to less time to spend as years pass.

edit:
I've just been digging through the commitlogs of the cvs-repository, and have not seen any traces of this being patched sofar.. Only update in 2007 regarding 1.6 seems to be changing the Copyright date to 2007
NML_375
User avatar
TCL_no_TK
Owner
Posts: 509
Joined: Fri Aug 25, 2006 7:05 pm
Location: England, Yorkshire

Post by TCL_no_TK »

My opinion, is that it should be tended to as soon as possible. Serious or not, it should be sorted out to no blacken eggdrop's name any further..
Yes, well said :)
I've just been digging through the commitlogs of the cvs-repository, and have not seen any traces of this being patched sofar.. Only update in 2007 regarding 1.6 seems to be changing the Copyright date to 2007
I've tryed the patch from the bugzilla url you posted, ty for that btw. I used it patch the latest cvs version of eggdrop1.6
~/eggdrop1.6 $ patch -p0 < 01_CVE-2007-2807_servmsg.patch
patching file src/mod/server.mod/servmsg.c
~/eggdrop1.6 $
so works great 8)
However, as I've been made to understand, eggheads devteam really could use some new coders with time/inspiration to work with the code.
Many projects like eggdrop depend on new coders, as people tend to less time to spend as years pass.
I'm not good at this myself but i would love to help :) I never really knew there was still a need for coders since there was so much dev going on with the eggdrop1.9 branch :? sorry :/ Thanks for your input nml375 :D tis really apreshiated.
User avatar
awyeah
Revered One
Posts: 1580
Joined: Mon Apr 26, 2004 2:37 am
Location: Switzerland
Contact:

Post by awyeah »

nml375 wrote: However, as I've been made to understand, eggheads devteam really could use some new coders with time/inspiration to work with the code.
Many projects like eggdrop depend on new coders, as people tend to less time to spend as years pass.
Well nml375 you stand out as a good candidate for the eggheads devteam, given the time. :P
·­awyeah·

==================================
Facebook: jawad@idsia.ch (Jay Dee)
PS: Guys, I don't accept script helps or requests personally anymore.
==================================
n
nml375
Revered One
Posts: 2860
Joined: Fri Aug 04, 2006 2:09 pm

Post by nml375 »

If I'd had the time for it, I would probably try to get involved again (even tho it's been several years since I was in any way involved). Unfortunately, I don't as studies and work take more than enough time as is..
NML_375
User avatar
awyeah
Revered One
Posts: 1580
Joined: Mon Apr 26, 2004 2:37 am
Location: Switzerland
Contact:

Post by awyeah »

I must also say the same for myself, studies, work, family, friends and other chores keep my agenda full daily almost on weekdays and on weekends. As apart for the devteam, I don't think am really that capable also.

But I do hope in the future there still will be progress on the eggdrop project and newer versions would come out, eventhough its like a still project since the devteam doesnt have enough people and they are also busy with their lives and don't have time for their aside hobbies; eggdrop development.
·­awyeah·

==================================
Facebook: jawad@idsia.ch (Jay Dee)
PS: Guys, I don't accept script helps or requests personally anymore.
==================================
User avatar
sKy
Op
Posts: 194
Joined: Thu Apr 14, 2005 5:58 pm
Location: Germany

Post by sKy »

Question 1:
Only an malicious server could use that bug to execute code on remote?

Question 2:
Is there a version without that bug yet? Or can you advice some bundle like eggdrop version x + patch?
socketapi | Code less, create more.
n
nml375
Revered One
Posts: 2860
Joined: Fri Aug 04, 2006 2:09 pm

Post by nml375 »

1:
To my best knowledge, only malicious servers would permit the sending of such large messages, but with the huge flora of modified ircd-software out there these days, I cannot give a 100% guarantee that non-malicious servers cannot be used to relay messages exploiting this bug.

2:
1.6.18 + the patch included in the bugzilla link posted earlier
NML_375
L
LordSephiroth
Voice
Posts: 4
Joined: Thu Sep 20, 2007 1:46 pm
Location: McLean, VA

Post by LordSephiroth »

Since I was the one that found this, I'll comment on it and explain it. My intentions of reporting it weren't exactly what came of it, which I will explain it a moment.

First, the vulnerability MUST be exploited from a malicious server. The advisories listed are somewhat-correct, but mostly incorrect. The message itself doesn't have to be overly long, but the nick/user/hostname does. It uses an unchecked strcpy() to copy the data into a small stack variable, obviously resulting in a stack overflow. So, like I said in the Bugzilla posting, you could open a netcat listener, connect the bot to it and send this string:

:AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAABBBB PRIVMSG Lamestbot :test

That (should) overwrite the instruction pointer with 0x42424242 (BBBB), which would allow an attacker to execute arbitrary code. The large number of A's is where the nick!user@host would normally be.

My intention with reporting this was for the devs to see the many variants of this vulnerability in the eggdrop code. I didn't bother recording or reporting them all, but I spent about 30 minutes flipping through the code and ran across several others that could be exploited in a similar fashion. I've been meaning to go back through them all and release a patch, but I just haven't had time.

As for the seriousness, it isn't that critical because it does require some social engineering to exploit. You would have to connect your bot (or someone from the partyline would) to a malicious 'server' that would then exploit the vulnerability. Granted, there are other attacks that could be used to facilitate this attack, but they all require the bot to connect to a malicious listener at some point. I use the word server lightly, because all it has to be is a malicious listener and doesn't need to be an IRCd.

I hope that helps. I've been meaning to go through and do a full audit of the eggy code, but like I said, I just haven't had the time and it didn't seem to me like there would be much interest in doing so.

EDIT: changed some things around (1:56 PM EST, Sept. 20th 2007)
EDIT #2:

Sorry, I edit a lot :p Last one, I hope...

I have followed this bug somewhat since I released it a few months ago, IIRC NetBSD was the first to release a patch, I saw the Gentoo patch a few days ago, but I haven't seen an 'official' patch from the eggie devs.
User avatar
slennox
Owner
Posts: 593
Joined: Sat Sep 22, 2001 8:00 pm
Contact:

Post by slennox »

Got my first concerned e-mail about this issue with the exploit having appeared on Packet Storm. It's probably time to post the patch on the main egghelp.org site in the absence of any movement on eggdev. Has anyone other than TCL_no_TK tried the patch and also found it works fine?
L
LordSephiroth
Voice
Posts: 4
Joined: Thu Sep 20, 2007 1:46 pm
Location: McLean, VA

Post by LordSephiroth »

His patch also addresses 3 other similar issues
Post Reply