egghelp/eggheads community

Possible expliot in eggdrop's server module?

2007-10-15T16:53:16-04:00

Has anyone checked if 1.7.0 is affected also?

It appears to be.

Statistics: Posted by LordSephiroth — Mon Oct 15, 2007 4:53 pm

Possible expliot in eggdrop's server module?

2007-10-13T12:29:56-04:00

Has anyone checked if 1.7.0 is affected also?

Statistics: Posted by DragnLord — Sat Oct 13, 2007 12:29 pm

Possible expliot in eggdrop's server module?

2007-10-11T15:38:40-04:00

His patch also addresses 3 other similar issues

Statistics: Posted by LordSephiroth — Thu Oct 11, 2007 3:38 pm

Possible expliot in eggdrop's server module?

2007-10-11T05:13:52-04:00

Got my first concerned e-mail about this issue with the exploit having appeared on Packet Storm. It's probably time to post the patch on the main egghelp.org site in the absence of any movement on eggdev. Has anyone other than TCL_no_TK tried the patch and also found it works fine?

Statistics: Posted by slennox — Thu Oct 11, 2007 5:13 am

Possible expliot in eggdrop's server module?

2007-09-20T13:52:53-04:00

Since I was the one that found this, I'll comment on it and explain it. My intentions of reporting it weren't exactly what came of it, which I will explain it a moment.

First, the vulnerability MUST be exploited from a malicious server. The advisories listed are somewhat-correct, but mostly incorrect. The message itself doesn't have to be overly long, but the nick/user/hostname does. It uses an unchecked strcpy() to copy the data into a small stack variable, obviously resulting in a stack overflow. So, like I said in the Bugzilla posting, you could open a netcat listener, connect the bot to it and send this string:

:AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAABBBB PRIVMSG Lamestbot :test

That (should) overwrite the instruction pointer with 0x42424242 (BBBB), which would allow an attacker to execute arbitrary code. The large number of A's is where the nick!user@host would normally be.

My intention with reporting this was for the devs to see the many variants of this vulnerability in the eggdrop code. I didn't bother recording or reporting them all, but I spent about 30 minutes flipping through the code and ran across several others that could be exploited in a similar fashion. I've been meaning to go back through them all and release a patch, but I just haven't had time.

As for the seriousness, it isn't that critical because it does require some social engineering to exploit. You would have to connect your bot (or someone from the partyline would) to a malicious 'server' that would then exploit the vulnerability. Granted, there are other attacks that could be used to facilitate this attack, but they all require the bot to connect to a malicious listener at some point. I use the word server lightly, because all it has to be is a malicious listener and doesn't need to be an IRCd.

I hope that helps. I've been meaning to go through and do a full audit of the eggy code, but like I said, I just haven't had the time and it didn't seem to me like there would be much interest in doing so.

EDIT: changed some things around (1:56 PM EST, Sept. 20th 2007)
EDIT #2:

Sorry, I edit a lot :p Last one, I hope...

I have followed this bug somewhat since I released it a few months ago, IIRC NetBSD was the first to release a patch, I saw the Gentoo patch a few days ago, but I haven't seen an 'official' patch from the eggie devs.

Statistics: Posted by LordSephiroth — Thu Sep 20, 2007 1:52 pm

Possible expliot in eggdrop's server module?

2007-09-19T16:44:06-04:00

1:
To my best knowledge, only malicious servers would permit the sending of such large messages, but with the huge flora of modified ircd-software out there these days, I cannot give a 100% guarantee that non-malicious servers cannot be used to relay messages exploiting this bug.

2:
1.6.18 + the patch included in the bugzilla link posted earlier

Statistics: Posted by nml375 — Wed Sep 19, 2007 4:44 pm

Possible expliot in eggdrop's server module?

2007-09-19T16:40:16-04:00

Question 1:
Only an malicious server could use that bug to execute code on remote?

Question 2:
Is there a version without that bug yet? Or can you advice some bundle like eggdrop version x + patch?

Statistics: Posted by sKy — Wed Sep 19, 2007 4:40 pm

Possible expliot in eggdrop's server module?

2007-09-17T12:30:30-04:00

I must also say the same for myself, studies, work, family, friends and other chores keep my agenda full daily almost on weekdays and on weekends. As apart for the devteam, I don't think am really that capable also.

But I do hope in the future there still will be progress on the eggdrop project and newer versions would come out, eventhough its like a still project since the devteam doesnt have enough people and they are also busy with their lives and don't have time for their aside hobbies; eggdrop development.

Statistics: Posted by awyeah — Mon Sep 17, 2007 12:30 pm

Possible expliot in eggdrop's server module?

2007-09-17T12:19:38-04:00

If I'd had the time for it, I would probably try to get involved again (even tho it's been several years since I was in any way involved). Unfortunately, I don't as studies and work take more than enough time as is..

Statistics: Posted by nml375 — Mon Sep 17, 2007 12:19 pm

Possible expliot in eggdrop's server module?

2007-09-16T20:34:48-04:00

However, as I've been made to understand, eggheads devteam really could use some new coders with time/inspiration to work with the code.
Many projects like eggdrop depend on new coders, as people tend to less time to spend as years pass.

Well nml375 you stand out as a good candidate for the eggheads devteam, given the time.

Statistics: Posted by awyeah — Sun Sep 16, 2007 8:34 pm

Possible expliot in eggdrop's server module?

2007-09-16T18:00:29-04:00

My opinion, is that it should be tended to as soon as possible. Serious or not, it should be sorted out to no blacken eggdrop's name any further..

Yes, well said

I've just been digging through the commitlogs of the cvs-repository, and have not seen any traces of this being patched sofar.. Only update in 2007 regarding 1.6 seems to be changing the Copyright date to 2007

I've tryed the patch from the bugzilla url you posted, ty for that btw. I used it patch the latest cvs version of eggdrop1.6

~/eggdrop1.6 $ patch -p0 < 01_CVE-2007-2807_servmsg.patch
patching file src/mod/server.mod/servmsg.c
~/eggdrop1.6 $

so works great

However, as I've been made to understand, eggheads devteam really could use some new coders with time/inspiration to work with the code.
Many projects like eggdrop depend on new coders, as people tend to less time to spend as years pass.

I'm not good at this myself but i would love to help I never really knew there was still a need for coders since there was so much dev going on with the eggdrop1.9 branch sorry :/ Thanks for your input nml375 tis really apreshiated.

Statistics: Posted by TCL_no_TK — Sun Sep 16, 2007 6:00 pm

Possible expliot in eggdrop's server module?

2007-09-16T16:13:01-04:00

My opinion, is that it should be tended to as soon as possible. Serious or not, it should be sorted out to no blacken eggdrop's name any further..

However, as I've been made to understand, eggheads devteam really could use some new coders with time/inspiration to work with the code.
Many projects like eggdrop depend on new coders, as people tend to less time to spend as years pass.

edit:
I've just been digging through the commitlogs of the cvs-repository, and have not seen any traces of this being patched sofar.. Only update in 2007 regarding 1.6 seems to be changing the Copyright date to 2007

Statistics: Posted by nml375 — Sun Sep 16, 2007 4:13 pm

Possible expliot in eggdrop's server module?

2007-09-16T15:45:52-04:00

Thanks, I haven't checked if this is in the cvs version of eggdrop, as thats the only version i tend to be using these days.

So there's nothing to be afraid of if you use the most recent version of Eggdrop (currently 1.6.18).

Thanks

It is a known issue, and have been reported to eggheads since long.
I believe there are several different patches for it aswell.

sorry, didn't check the bugzilla, thou i had thought that this bug might of been reported already so i thought i would like to know a bit more about the seriousness of the expliot.

The impact of this bug might be argued, as it would require an attacker to manipulate an user to use a malicious server. Still it's fully exploitable under those conditions.

Yes, i agree. And can see the point, thou i could still say that possibity is deffonatly still out there as there have been troubles with dns fowards to an differant server from some network address.

I assume the patch is saved for a future release of 1.6.19, although I don't know if it has been added to the cvs-repository..

Hope so thought i've seen alot of projects these days that have problems with expliots in there code. Like anope irc services having alot of problems with there mysql, in my opinion that really caused them alot of bother. After thinking this through and the means which it takes to expliot eggdrop this way. I would assume that it would probably not happen unless you went to alot of trouble to make it happen. What do you guys think?

Statistics: Posted by TCL_no_TK — Sun Sep 16, 2007 3:45 pm

Possible expliot in eggdrop's server module?

2007-09-15T19:01:22-04:00

That would be gentoo's patched package... the eggdrop you would download from eggheads is indeed flawed with this bug.

The impact of this bug might be argued, as it would require an attacker to manipulate an user to use a malicious server. Still it's fully exploitable under those conditions. I assume the patch is saved for a future release of 1.6.19, although I don't know if it has been added to the cvs-repository..

Statistics: Posted by nml375 — Sat Sep 15, 2007 7:01 pm

Possible expliot in eggdrop's server module?

2007-09-15T16:40:08-04:00

Affected Packages

Package: net-irc/eggdrop
Vulnerable: < 1.6.18-r2
Unaffected: >= 1.6.18-r2
Architectures: All supported architectures

So there's nothing to be afraid of if you use the most recent version of Eggdrop (currently 1.6.18).

Statistics: Posted by Sir_Fz — Sat Sep 15, 2007 4:40 pm