eggdrop1.3.17 security

[paul () BOEHM ORG (Paul Boehm)]

--gBBFr7Ir9EOA20Yy
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: quoted-printable

Hi,

i played around with eggdrop 1.3.17 and looked at it's source
searching for security flaws, and found quit a lot of them...
(most likely there are more of them...)

Summary:
=2E) i didn't find any bugs useable using irc(dcc excluded) or without any =
access.
=2E) All of these can be used as a DoS attack(bot killer) even without
   any further exploit.
=2E) Some(all?) of them can be used to execute shellcode (i think).

here's a detailed list:

bot linking overflows:
1. bot handshake
When two bots in botnet start linking each of them sends their version
number. this looks like this:

version 1031700 9 [and some silly text]

now if one of the "bots" sends: version 1031700 9 <many a's>
the bot segfaults... buffer overrun no.1

user command overflows:
2. if you do a .note <many, but not too many a's>@dummy
the bot segfault's again. the @dummy is important as
a different routine gets called if you don't supply it.
if you use too many a's your input gets wrapped and
the bot doesn't get the @dummy as part of the command
so the overflowable routine never gets called.

3. the ignore command series (.+ignore,.ignore,.-ignore)
has tons of overflows... ignore with long command
ignore with long host, unignore long host, list long ignore,
list ignore after unignoring long host, etc... which one
you trigger depends if you're connected or not and how
long the string you're using is.
play around yourself...

4. .+ban <many a's>
   .-ban <many a's>

5. a nice one... only locally exploitable *grin*
   $ export HOSTNAME=3D"your.real.host.name <many a's(>1024 at least)>"
   $ ./eggdrop config.file
     Segmentation Fault

6. .jump irc.bla.org 6667 <many a's>

filesys overflows:
permission to use mkdir command needed for these.

7. mkdir <many a's>
   works even if you don't have permissions to create dirs here.

8. mkdir aaaaaaaaaaaaa\ncd aaaaaaaaaaaaaaa\nmkdir aaaaaaaaaaaaaa\ncd aaaa...
   overflows the string containing the current pwd.
   you need permissions for directory creation.

and one found by Eduard Nigsch <edi () ganymed org>:
9. if a user has a pass that repeats, for example
"abcabc" you can use "abc" as pass to log into the bot.
so "a" could be used as pass instead of "aaaaaa"...

--- To prevent flames:
This has been sent to the eggdrop mailinglist at the same time as
to bugtraq as the eggdrop mailinglist(the only contact i found in
the readme's) is a public mailing list too.
---

bye,
    pb

--=20

[ Paul S. Boehm | paul () boehm org | http://paul.boehm.org/ | infected@irc ]

Money is what gives a programmer his resources. It's an exchange system cre=
ated
by human beings. It surrounds us. Works for us, binds the economy together.


--gBBFr7Ir9EOA20Yy
Content-Type: application/pgp-signature

-----BEGIN PGP SIGNATURE-----
Version: 2.6.3i

iQCVAwUBNavjyqx8fjwdz5sZAQEjXAQAuKMcHhwIzGKmWPCI6b0pgjP+1fctbmA0
eE4zjbzf4Mu91Cug1GlCMHiG8g/qmOHrnNSTzhJhGUFTQ7sLrtrC+/ZYgkFIzz7h
K+P2zcQhl52rNAbeGGB68nVcxjXrXlOCZ8teSgQlekLOdV8ZfsO0VwcwHgQs7e4Z
BS6Tr5TrvKQ=
=+PHB
-----END PGP SIGNATURE-----

--gBBFr7Ir9EOA20Yy--