egghelp/eggheads community

I came across this a few minuets ago http://forums.gentoo.org/viewtopic-t-582983.html Here's a quote from the post

A remote attacker could entice an Eggdrop user to connect the bot to a malicious server, possibly resulting in the execution of arbitrary code on the host running Eggdrop.

.

It is a known issue, and have been reported to eggheads since long.
I believe there are several different patches for it aswell.

http://bugzilla.eggheads.org/show_bug.cgi?id=462

Affected Packages

Package: net-irc/eggdrop
Vulnerable: < 1.6.18-r2
Unaffected: >= 1.6.18-r2
Architectures: All supported architectures

So there's nothing to be afraid of if you use the most recent version of Eggdrop (currently 1.6.18).

That would be gentoo's patched package... the eggdrop you would download from eggheads is indeed flawed with this bug.

The impact of this bug might be argued, as it would require an attacker to manipulate an user to use a malicious server. Still it's fully exploitable under those conditions. I assume the patch is saved for a future release of 1.6.19, although I don't know if it has been added to the cvs-repository..

Thanks, I haven't checked if this is in the cvs version of eggdrop, as thats the only version i tend to be using these days.

So there's nothing to be afraid of if you use the most recent version of Eggdrop (currently 1.6.18).

Thanks

It is a known issue, and have been reported to eggheads since long.
I believe there are several different patches for it aswell.

sorry, didn't check the bugzilla, thou i had thought that this bug might of been reported already so i thought i would like to know a bit more about the seriousness of the expliot.

The impact of this bug might be argued, as it would require an attacker to manipulate an user to use a malicious server. Still it's fully exploitable under those conditions.

Yes, i agree. And can see the point, thou i could still say that possibity is deffonatly still out there as there have been troubles with dns fowards to an differant server from some network address.

I assume the patch is saved for a future release of 1.6.19, although I don't know if it has been added to the cvs-repository..

Hope so thought i've seen alot of projects these days that have problems with expliots in there code. Like anope irc services having alot of problems with there mysql, in my opinion that really caused them alot of bother. After thinking this through and the means which it takes to expliot eggdrop this way. I would assume that it would probably not happen unless you went to alot of trouble to make it happen. What do you guys think?

My opinion, is that it should be tended to as soon as possible. Serious or not, it should be sorted out to no blacken eggdrop's name any further..

However, as I've been made to understand, eggheads devteam really could use some new coders with time/inspiration to work with the code.
Many projects like eggdrop depend on new coders, as people tend to less time to spend as years pass.

edit:
I've just been digging through the commitlogs of the cvs-repository, and have not seen any traces of this being patched sofar.. Only update in 2007 regarding 1.6 seems to be changing the Copyright date to 2007

My opinion, is that it should be tended to as soon as possible. Serious or not, it should be sorted out to no blacken eggdrop's name any further..

Yes, well said

I've just been digging through the commitlogs of the cvs-repository, and have not seen any traces of this being patched sofar.. Only update in 2007 regarding 1.6 seems to be changing the Copyright date to 2007

I've tryed the patch from the bugzilla url you posted, ty for that btw. I used it patch the latest cvs version of eggdrop1.6

~/eggdrop1.6 $ patch -p0 < 01_CVE-2007-2807_servmsg.patch
patching file src/mod/server.mod/servmsg.c
~/eggdrop1.6 $

so works great

However, as I've been made to understand, eggheads devteam really could use some new coders with time/inspiration to work with the code.
Many projects like eggdrop depend on new coders, as people tend to less time to spend as years pass.

I'm not good at this myself but i would love to help I never really knew there was still a need for coders since there was so much dev going on with the eggdrop1.9 branch sorry :/ Thanks for your input nml375 tis really apreshiated.

nml375 wrote: However, as I've been made to understand, eggheads devteam really could use some new coders with time/inspiration to work with the code.
Many projects like eggdrop depend on new coders, as people tend to less time to spend as years pass.

Well nml375 you stand out as a good candidate for the eggheads devteam, given the time.

If I'd had the time for it, I would probably try to get involved again (even tho it's been several years since I was in any way involved). Unfortunately, I don't as studies and work take more than enough time as is..

I must also say the same for myself, studies, work, family, friends and other chores keep my agenda full daily almost on weekdays and on weekends. As apart for the devteam, I don't think am really that capable also.

But I do hope in the future there still will be progress on the eggdrop project and newer versions would come out, eventhough its like a still project since the devteam doesnt have enough people and they are also busy with their lives and don't have time for their aside hobbies; eggdrop development.

Question 1:
Only an malicious server could use that bug to execute code on remote?

Question 2:
Is there a version without that bug yet? Or can you advice some bundle like eggdrop version x + patch?

1:
To my best knowledge, only malicious servers would permit the sending of such large messages, but with the huge flora of modified ircd-software out there these days, I cannot give a 100% guarantee that non-malicious servers cannot be used to relay messages exploiting this bug.

2:
1.6.18 + the patch included in the bugzilla link posted earlier

Since I was the one that found this, I'll comment on it and explain it. My intentions of reporting it weren't exactly what came of it, which I will explain it a moment.

First, the vulnerability MUST be exploited from a malicious server. The advisories listed are somewhat-correct, but mostly incorrect. The message itself doesn't have to be overly long, but the nick/user/hostname does. It uses an unchecked strcpy() to copy the data into a small stack variable, obviously resulting in a stack overflow. So, like I said in the Bugzilla posting, you could open a netcat listener, connect the bot to it and send this string:

:AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAABBBB PRIVMSG Lamestbot :test

That (should) overwrite the instruction pointer with 0x42424242 (BBBB), which would allow an attacker to execute arbitrary code. The large number of A's is where the nick!user@host would normally be.

My intention with reporting this was for the devs to see the many variants of this vulnerability in the eggdrop code. I didn't bother recording or reporting them all, but I spent about 30 minutes flipping through the code and ran across several others that could be exploited in a similar fashion. I've been meaning to go back through them all and release a patch, but I just haven't had time.

As for the seriousness, it isn't that critical because it does require some social engineering to exploit. You would have to connect your bot (or someone from the partyline would) to a malicious 'server' that would then exploit the vulnerability. Granted, there are other attacks that could be used to facilitate this attack, but they all require the bot to connect to a malicious listener at some point. I use the word server lightly, because all it has to be is a malicious listener and doesn't need to be an IRCd.

I hope that helps. I've been meaning to go through and do a full audit of the eggy code, but like I said, I just haven't had the time and it didn't seem to me like there would be much interest in doing so.

EDIT: changed some things around (1:56 PM EST, Sept. 20th 2007)
EDIT #2:

Sorry, I edit a lot :p Last one, I hope...

I have followed this bug somewhat since I released it a few months ago, IIRC NetBSD was the first to release a patch, I saw the Gentoo patch a few days ago, but I haven't seen an 'official' patch from the eggie devs.

Got my first concerned e-mail about this issue with the exploit having appeared on Packet Storm. It's probably time to post the patch on the main egghelp.org site in the absence of any movement on eggdev. Has anyone other than TCL_no_TK tried the patch and also found it works fine?

His patch also addresses 3 other similar issues