Page 1 of 2
Possible expliot in eggdrop's server module?
Posted: Sat Sep 15, 2007 12:38 pm
by TCL_no_TK
I came across this a few minuets ago
http://forums.gentoo.org/viewtopic-t-582983.html Here's a quote from the post
A remote attacker could entice an Eggdrop user to connect the bot to a malicious server, possibly resulting in the execution of arbitrary code on the host running Eggdrop.
.
Posted: Sat Sep 15, 2007 3:39 pm
by nml375
It is a known issue, and have been reported to eggheads since long.
I believe there are several different patches for it aswell.
http://bugzilla.eggheads.org/show_bug.cgi?id=462
Posted: Sat Sep 15, 2007 4:40 pm
by Sir_Fz
Affected Packages
Package: net-irc/eggdrop
Vulnerable: < 1.6.18-r2
Unaffected: >= 1.6.18-r2
Architectures: All supported architectures
So there's nothing to be afraid of if you use the most recent version of Eggdrop (currently 1.6.18).
Posted: Sat Sep 15, 2007 7:01 pm
by nml375
That would be gentoo's patched package... the eggdrop you would download from eggheads is indeed flawed with this bug.
The impact of this bug might be argued, as it would require an attacker to manipulate an user to use a malicious server. Still it's fully exploitable under those conditions. I assume the patch is saved for a future release of 1.6.19, although I don't know if it has been added to the cvs-repository..
Posted: Sun Sep 16, 2007 3:45 pm
by TCL_no_TK
Thanks, I haven't checked if this is in the cvs version of eggdrop, as thats the only version i tend to be using these days.
So there's nothing to be afraid of if you use the most recent version of Eggdrop (currently 1.6.18).
Thanks
It is a known issue, and have been reported to eggheads since long.
I believe there are several different patches for it aswell.
sorry, didn't check the bugzilla, thou i had thought that this bug might of been reported already so i thought i would like to know a bit more about the seriousness of the expliot.
The impact of this bug might be argued, as it would require an attacker to manipulate an user to use a malicious server. Still it's fully exploitable under those conditions.
Yes, i agree. And can see the point, thou i could still say that possibity is deffonatly still out there as there have been troubles with dns fowards to an differant server from some network address.
I assume the patch is saved for a future release of 1.6.19, although I don't know if it has been added to the cvs-repository..
Hope so
thought i've seen alot of projects these days that have problems with expliots in there code. Like anope irc services having alot of problems with there mysql, in my opinion that really caused them alot of bother.
After thinking this through and the means which it takes to expliot eggdrop this way. I would assume that it would probably not happen unless you went to alot of trouble to make it happen. What do you guys think?
Posted: Sun Sep 16, 2007 4:13 pm
by nml375
My opinion, is that it should be tended to as soon as possible. Serious or not, it should be sorted out to no blacken eggdrop's name any further..
However, as I've been made to understand, eggheads devteam really could use some new coders with time/inspiration to work with the code.
Many projects like eggdrop depend on new coders, as people tend to less time to spend as years pass.
edit:
I've just been digging through the commitlogs of the cvs-repository, and have not seen any traces of this being patched sofar.. Only update in 2007 regarding 1.6 seems to be changing the Copyright date to 2007
Posted: Sun Sep 16, 2007 6:00 pm
by TCL_no_TK
My opinion, is that it should be tended to as soon as possible. Serious or not, it should be sorted out to no blacken eggdrop's name any further..
Yes, well said
I've just been digging through the commitlogs of the cvs-repository, and have not seen any traces of this being patched sofar.. Only update in 2007 regarding 1.6 seems to be changing the Copyright date to 2007
I've tryed the patch from the bugzilla url you posted, ty for that btw. I used it patch the latest cvs version of eggdrop1.6
~/eggdrop1.6 $ patch -p0 < 01_CVE-2007-2807_servmsg.patch
patching file src/mod/server.mod/servmsg.c
~/eggdrop1.6 $
so works great
However, as I've been made to understand, eggheads devteam really could use some new coders with time/inspiration to work with the code.
Many projects like eggdrop depend on new coders, as people tend to less time to spend as years pass.
I'm not good at this myself but i would love to help
I never really knew there was still a need for coders since there was so much dev going on with the eggdrop1.9 branch
sorry :/ Thanks for your input nml375
tis really apreshiated.
Posted: Sun Sep 16, 2007 8:34 pm
by awyeah
nml375 wrote:
However, as I've been made to understand, eggheads devteam really could use some new coders with time/inspiration to work with the code.
Many projects like eggdrop depend on new coders, as people tend to less time to spend as years pass.
Well nml375 you stand out as a good candidate for the eggheads devteam, given the time.
Posted: Mon Sep 17, 2007 12:19 pm
by nml375
If I'd had the time for it, I would probably try to get involved again (even tho it's been several years since I was in any way involved). Unfortunately, I don't as studies and work take more than enough time as is..
Posted: Mon Sep 17, 2007 12:30 pm
by awyeah
I must also say the same for myself, studies, work, family, friends and other chores keep my agenda full daily almost on weekdays and on weekends. As apart for the devteam, I don't think am really that capable also.
But I do hope in the future there still will be progress on the eggdrop project and newer versions would come out, eventhough its like a still project since the devteam doesnt have enough people and they are also busy with their lives and don't have time for their aside hobbies; eggdrop development.
Posted: Wed Sep 19, 2007 4:40 pm
by sKy
Question 1:
Only an malicious server could use that bug to execute code on remote?
Question 2:
Is there a version without that bug yet? Or can you advice some bundle like eggdrop version x + patch?
Posted: Wed Sep 19, 2007 4:44 pm
by nml375
1:
To my best knowledge, only malicious servers would permit the sending of such large messages, but with the huge flora of modified ircd-software out there these days, I cannot give a 100% guarantee that non-malicious servers cannot be used to relay messages exploiting this bug.
2:
1.6.18 + the patch included in the bugzilla link posted earlier
Posted: Thu Sep 20, 2007 1:52 pm
by LordSephiroth
Since I was the one that found this, I'll comment on it and explain it. My intentions of reporting it weren't exactly what came of it, which I will explain it a moment.
First, the vulnerability MUST be exploited from a malicious server. The advisories listed are somewhat-correct, but mostly incorrect. The message itself doesn't have to be overly long, but the nick/user/hostname does. It uses an unchecked strcpy() to copy the data into a small stack variable, obviously resulting in a stack overflow. So, like I said in the Bugzilla posting, you could open a netcat listener, connect the bot to it and send this string:
:AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAABBBB PRIVMSG Lamestbot :test
That (should) overwrite the instruction pointer with 0x42424242 (BBBB), which would allow an attacker to execute arbitrary code. The large number of A's is where the nick!user@host would normally be.
My intention with reporting this was for the devs to see the many variants of this vulnerability in the eggdrop code. I didn't bother recording or reporting them all, but I spent about 30 minutes flipping through the code and ran across several others that could be exploited in a similar fashion. I've been meaning to go back through them all and release a patch, but I just haven't had time.
As for the seriousness, it isn't that critical because it does require some social engineering to exploit. You would have to connect your bot (or someone from the partyline would) to a malicious 'server' that would then exploit the vulnerability. Granted, there are other attacks that could be used to facilitate this attack, but they all require the bot to connect to a malicious listener at some point. I use the word server lightly, because all it has to be is a malicious listener and doesn't need to be an IRCd.
I hope that helps. I've been meaning to go through and do a full audit of the eggy code, but like I said, I just haven't had the time and it didn't seem to me like there would be much interest in doing so.
EDIT: changed some things around (1:56 PM EST, Sept. 20th 2007)
EDIT #2:
Sorry, I edit a lot :p Last one, I hope...
I have followed this bug somewhat since I released it a few months ago, IIRC NetBSD was the first to release a patch, I saw the Gentoo patch a few days ago, but I haven't seen an 'official' patch from the eggie devs.
Posted: Thu Oct 11, 2007 5:13 am
by slennox
Got my first concerned e-mail about this issue with the exploit having appeared on Packet Storm. It's probably time to post the patch on the main egghelp.org site in the absence of any movement on eggdev. Has anyone other than TCL_no_TK tried the patch and also found it works fine?
Posted: Thu Oct 11, 2007 3:38 pm
by LordSephiroth
His patch also addresses 3 other similar issues