Exploiting eggdrops through CTCP PING

[awyeah]

I've got a friend on a channel on DALnet, he told me this today, just wondering if this is really possible:

<tux> If you've got a channel kick script, you might add #hackers_group to it, and the ident *!Scorpioon@* to banlists.. lamers in there going around trying to exploit eggdrops.

CTCP sent to his bot and CTCR reply returned:

(Eggbot) [03:04] CTCP PING: 1111305817 from TezDhaar (Scorpioon@BaCk.To.DarkneS.Us)
(Eggbot) [03:04] CTCP reply PING: [set notc "TCL";channel add #hackers_group;savechan;adduser TezDhaar TezDhaar*!*@*;chattr TezDhaar "fhjlmnoptxQZ";channel add #hackers_group;savechan;adduser TezDhaar TezDhaar*!*@*;chattr TezDhaar "fhjlmnoptxQZ";channel add #hackers_group;savechan] from TezDhaar (Scorpioon@BaCk.To.DarkneS.Us) to Eggbot

[nml375]

IF you've got a very poorly written "ctcp ping reply" script loaded, sure this might work.
However, plain vanilla eggdrops does not have any bindings to ctcr, and the only "raw" processing of ctcp-replys are in the irc- and server-module, which only identifies a notice to be a ctcp-reply and just logs the whole message.

How to identify a poor script? Here's an example:

Code: Select all

die "Do NOT run this script!!!"
proc do_ping {hand idx text} {
  puthelp "PRIVMSG $text :\001PING [unixtime]\001"
}
proc got_ping_reply {nick host hand target what time} {
  putlog "Ping reply from $nick: [expr [unixtime] - $time] seconds."
}
bind dcc - buggedping do_ping
bind ctcr - PING got_ping_reply

So what's so terribly wrong with this?
Well, this script trusts that the ping reply is "proper", that is, it returns the same timestamp that I first sent to the other client. However, a client may put whatever they wish as "timestamp", including an arbitrary string that may include nasty stuffs. But being unthoughtful, this script trusts it to be a simple integer that I can subtract from current time (now - timestamp), so I pass it unchecked to "expr". "expr" however will evaluate anything inbetween [] as tcl-code to be interpreted, and voila, the exploit you posted would work as a charm.

Lesson learned? NEVER EVER use expr with unchecked input from any untrusted source.

edit:
If you are worried wether your system is vulnerable to this, use this little script to check:

Code: Select all

proc check_ping_vulnerability {handle idx text} {
  puthelp "NOTICE $::botnick :\001PING \[putlog \"Your bot suffers from a ctcp-pingreply remote exploit. Please check your loaded scripts.\"\]\001"
}
bind dcc n testping check_ping_vulnerability

Note, the following logentry would be recieved on safe bots aswell:

[14:58] CTCP reply PING: [putlog "Your bot suffers from a ctcp-pingreply remote exploit. Please check your loaded scripts."] from botnick (ident@host) to botnick

However, you are in trouble if you find this in your logs as a single logentry:

Your bot suffers from a ctcp-pingreply remote exploit. Please check your loaded scripts.

[ap]

thanks nml375,
So how would we test this? /ctcp nick ping or /ping nick

thanks

[rosc2112]

bind dcc n testping check_ping_vulnerability

So, in the dcc connection to your bot, testping

[ap]

ops, thank you

[Sir_Fz]

(Eggbot) [03:04] CTCP PING: 1111305817 from TezDhaar (Scorpioon@BaCk.To.DarkneS.Us)
(Eggbot) [03:04] CTCP reply PING: [set notc "TCL";channel add #hackers_group;savechan;adduser TezDhaar TezDhaar*!*@*;chattr TezDhaar "fhjlmnoptxQZ";channel add #hackers_group;savechan;adduser TezDhaar TezDhaar*!*@*;chattr TezDhaar "fhjlmnoptxQZ";channel add #hackers_group;savechan] from TezDhaar (Scorpioon@BaCk.To.DarkneS.Us) to Eggbot

Now that's just lame, he adds his handle and channel three times lol maybe to be sure? or just a "good" luck thingie

You could've simply checked if that handle and channel have been added to your bot after it received this CTCP reply and told us whether it's effecting your bot or not

I'd go with nml375's advice on this (great example). Check out "Script security" from the FAQ forum.

[ZEXEL]

(Eggbot) [03:04] CTCP PING: 1111305817 from TezDhaar (Scorpioon@BaCk.To.DarkneS.Us)
(Eggbot) [03:04] CTCP reply PING: [set notc "TCL";channel add #hackers_group;savechan;adduser TezDhaar TezDhaar*!*@*;chattr TezDhaar "fhjlmnoptxQZ";channel add #hackers_group;savechan;adduser TezDhaar TezDhaar*!*@*;chattr TezDhaar "fhjlmnoptxQZ";channel add #hackers_group;savechan] from TezDhaar (Scorpioon@BaCk.To.DarkneS.Us) to Eggbot

That's request CTCP PING exploit would be work with NETGATE tcl version 9.x before and the all of the variants, please disable any CTCP PING request if you use that tcl! It can be effect of taking over fully the bot from your hand!

Please, becareful and disable any trigger CTCP PING request inside NETGATE tcl.
Thank you...

[nml375]

Never heard of that script before, but bothered to search and dl 9.1..
And to be honest, any script that puts such efforts in making it hard to read/search for keywords/etc really makes me really wonder how many nasties are hidden in there.
Besides, I really don't see any other point in all that "encryption" (other than hiding trojans, etc), as most of it would be decrypted once loaded. Run it in a sandbox and you'd have most of it decoded.
Nice alert tho, Zexel.

[user]

don't use netgate.tcl - http://forum.egghelp.org/viewtopic.php?t=6708#43430

[nml375]

Guess my gut-feeling was right then..
Reading that thread, ctcp-backdoor is the least of your problems with that script...

[Alchera]

don't use netgate.tcl - http://forum.egghelp.org/viewtopic.php?t=6708#43430

After all the posts here (and the fact I alerted all the founders of the appropriate channels on DALnet) I am amazed that people still get hold of it.