Re: Eggdrop arbitrary connection vulnerability

["Matthew S. Hallacy" <poptix () techmonkeys org>]

<official reply from eggheads.org, the current eggdrop development group>

On Sun, Feb 09, 2003 at 08:44:50PM +0100, Paul Starzetz wrote:
> Hi,

Hello.

> there is a serious security problem in the popular eggdrop IRCbot. The 
> hole allows a regular user with enough 'power' (at least power to add 
> new bot records) to use any linked instance of the bot on the botnet as 
> an instant 'proxy'. The following session demonstrates the problem with 
> an out-of-the-box eggdrop 1.6.10:

This is not a bug. When running a program, any program, the owner of
the process has the responsibility of making sure that they trust the
people they give access.

Not only is partyline access required, but they must also have access
to either add, or modify bots. In the past many people have used this
particular 'feature' for various things, including connecting to other
bots that may not be compatible with the eggdrop botnet protocol.

I personally have also used this to verify that services are available
that I cannot reach directly (ssh, http, ftp, etc). Others have written
scripts (in Tcl, the script language available to eggdrop) that interact
with various services, including FTP, SMTP, HTTP, and POP3.

To conclude, if you see this as a security threat, please feel free to
remove the user flags from the people that you do not trust to refrain
from abusing it. It is not necessary (nor the default behavior) for a
user to have the ability to do this (or even use the .relay command).

[snip]

> Hope this helps, thanks to Maciek Kroenke for bringing my attention to 
> this bug,

Next time you feel that you've found a 'bug' in eggdrop please refer to
the mailing lists at http://www.eggheads.org, or our bugzilla server at
http://www.eggheads.org/bugzilla
</official reply>

> /ih

-- 
Matthew S. Hallacy                            FUBAR, LART, BOFH Certified
http://www.poptix.net                           GPG public key 0x01938203