eggdrop137.txt

`Date: Wed, 15 Jul 1998 01:03:39 +0200  
From: Paul Boehm <[email protected]>  
Subject: eggdrop1.3.17 security  
  
Hi,  
  
i played around with eggdrop 1.3.17 and looked at it's source searching for  
security flaws, and found quit a lot of them... (most likely there are more  
of them...)  
  
Summary:  
=2E) i didn't find any bugs useable using irc(dcc excluded) or without any =  
access.  
=2E) All of these can be used as a DoS attack(bot killer) even without  
any further exploit.  
=2E) Some(all?) of them can be used to execute shellcode (i think).  
  
here's a detailed list:  
  
bot linking overflows:  
1. bot handshake  
When two bots in botnet start linking each of them sends their version  
number. this looks like this:  
  
version 1031700 9 [and some silly text]  
  
now if one of the "bots" sends: version 1031700 9 <many a's>  
the bot segfaults... buffer overrun no.1  
  
user command overflows:  
2. if you do a .note <many, but not too many a's>@dummy  
the bot segfault's again. the @dummy is important as  
a different routine gets called if you don't supply it.  
if you use too many a's your input gets wrapped and  
the bot doesn't get the @dummy as part of the command  
so the overflowable routine never gets called.  
  
3. the ignore command series (.+ignore,.ignore,.-ignore)  
has tons of overflows... ignore with long command  
ignore with long host, unignore long host, list long ignore,  
list ignore after unignoring long host, etc... which one  
you trigger depends if you're connected or not and how  
long the string you're using is.  
play around yourself...  
  
4. .+ban <many a's>  
.-ban <many a's>  
  
5. a nice one... only locally exploitable *grin*  
$ export HOSTNAME=3D"your.real.host.name <many a's(>1024 at least)>"  
$ ./eggdrop config.file  
Segmentation Fault  
  
6. .jump irc.bla.org 6667 <many a's>  
  
filesys overflows:  
permission to use mkdir command needed for these.  
  
7. mkdir <many a's>  
works even if you don't have permissions to create dirs here.  
  
8. mkdir aaaaaaaaaaaaa\ncd aaaaaaaaaaaaaaa\nmkdir aaaaaaaaaaaaaa\ncd aaaa...  
overflows the string containing the current pwd.  
you need permissions for directory creation.  
  
and one found by Eduard Nigsch <[email protected]>:  
9. if a user has a pass that repeats, for example  
"abcabc" you can use "abc" as pass to log into the bot.  
so "a" could be used as pass instead of "aaaaaa"...  
  
--- To prevent flames:  
This has been sent to the eggdrop mailinglist at the same time as  
to bugtraq as the eggdrop mailinglist(the only contact i found in  
the readme's) is a public mailing list too.  
---  
  
bye,  
pb  
  
  
[ Paul S. Boehm | [email protected] | http://paul.boehm.org/ | infected@irc ]  
  
Money is what gives a programmer his resources. It's an exchange system  
created by human beings. It surrounds us. Works for us, binds the economy  
together.  
`