Eggrop bug

• Previous message: Alexander GQ Gerasiov: "Re: [ GLSA 200402-01 ] PHP setting leaks from .htaccess files on virtual hosts"
• Next in thread: Jeff Fisher: "Re: Eggrop bug"
• Reply: Jeff Fisher: "Re: Eggrop bug"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Date: Sun,  8 Feb 2004 17:26:12 +0100
To: "bugtraq" <bugtraq@securityfocus.com>

http://mogan.nonsoloirc.com/egg_advisory.txt

==========================
Topic: eggdrop share.mod problem
Issue date: 07/02/2004
Severity: remote exploit
Affected versions: 1.6.x <= 1.6.15, others?
======================

Eggdrop is a bot written in C. It is highly configurable
and can be easily expandeded with TCL scripts. It is widely used in almost every
IRC Network.
Eggdrop can be downloaded from:
     http://www.eggheads.org

Description:
==============
A vulnerability has been discovered in share.mod module provided with eggdrop
sources.
A tricky attacker can gain the control over (almost) any eggdrop botnet.
the bug rely in the fact that every legitimate bot can gain share status even if it
is not marked to share with someone.

Issue Details:
==============
share.mod use tandem buffers to handle userfile resync transfers. tandem buffers
are checked
minutely by check_expired_tbufs() in order to flush tandem buffers older than 15
minutes
(resync_time). check_expired_tbufs() accomplish also to handle userfile requests
in limbo
(that haven't received yet any response from tandem bot). While doing those
checks the
programmer has left out some parentheses and the worst has happened:
Here the incriminated snip:

  for (i = 0; i < dcc_total; i++)
    if (dcc[i].type->flags & DCT_BOT) {
      if (dcc[i].status & STAT_OFFERED) {
        if (now - dcc[i].timeval > 120) {
          if (dcc[i].user && (bot_flags(dcc[i].user) & BOT_AGGRESSIVE))
            dprintf(i, "s u?\n");
          /* ^ send it again in case they missed it */
        }
        /* If it's a share bot that hasnt been sharing, ask again */
      } else if (!(dcc[i].status & STAT_SHARE)) {

------- /* Bug now every bot gain the STAT_OFFERED status. */
        if (dcc[i].user && (bot_flags(dcc[i].user) & BOT_AGGRESSIVE))
          dprintf(i, "s u?\n");
        dcc[i].status |= STAT_OFFERED;
------- /* eof Bug */

      }
    }

As we can see, every non sharebot gain STAT_OFFERED status, minutely.

the next step is to gain STAT_SHARE.. we use share_ufyes().
That function doesn't STAT_SHARE check, just STAT_OFFERED.

static void share_ufyes(int idx, char *par)
{
  if (dcc[idx].status & STAT_OFFERED) {
    dcc[idx].status &= ~STAT_OFFERED;
    dcc[idx].status |= STAT_SHARE;
    dcc[idx].status |= STAT_SENDING;
    uf_features_parse(idx, par);
    start_sending_users(idx);
    putlog(LOG_BOTS, "*", "Sending user file send request to %s",
           dcc[idx].nick);
  }
}

bingo!
the bot is now completely recognized as a sharebot and we can adduser..
deluser.. chattr..

Notes:
=============
Two bots directly linked, at the moment of link, share a password (handshake)
but probably two bots not directly linked will not. So can be possible to fake a
real bot simply telnetting the bot port and pressing enter :).

Patch:
=============
Trivial,

-------- Cut Here ---------

--- eggdrop1.6.15/src/mod/share.mod/share.c Sat Feb 7 05:13:32 2004
+++ eggdrop1.6.15-sp/src/mod/share.mod/share.c Sat Feb 7 05:43:33 2004
@@ -1457,9 +1457,11 @@
           /* ^ send it again in case they missed it */
         /* If it's a share bot that hasnt been sharing, ask again */
       } else if (!(dcc[i].status & STAT_SHARE)) {
- if (dcc[i].user && (bot_flags(dcc[i].user) & BOT_AGGRESSIVE))
+ /* Patched from original source by giusc@gbss.it <20040207> */
+ if (dcc[i].user && (bot_flags(dcc[i].user) & BOT_AGGRESSIVE)) {
           dprintf(i, "s u?\n");
- dcc[i].status |= STAT_OFFERED;
+ dcc[i].status |= STAT_OFFERED;
+ }
       }
     }
 }

-------- Cut Here ---------

Exploit:
=============
trivial,
not yet available for kiddies.

Acknowledgment:
===============
Luca De Roberto <luca_adsl (at) tin (dot) it>
Dania Stolfi <cyborgirl (at) libero (dot) it>
Giuseppe Caulo <giusc (at) gbss (dot) it>

Vendor status:
===============
Notified on 07 February 2004

• Previous message: Alexander GQ Gerasiov: "Re: [ GLSA 200402-01 ] PHP setting leaks from .htaccess files on virtual hosts"
• Next in thread: Jeff Fisher: "Re: Eggrop bug"
• Reply: Jeff Fisher: "Re: Eggrop bug"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Relevant Pages [UNIX] Eggdrop Bot Share.mod Vulnerability Can Lead To Takeover ... The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com ... Source IRC bot, designed for flexibility and ease of use, and is freely ... gain share status even if it's not set to share with anyone. ... The share.mod module uses tandem buffers to handle user file resync ... (Securiteam) [Full-Disclosure] Eggdrop problem ... Eggdrop is a bot written in C. ... A tricky attacker can gain the control over any eggdrop botnet. ... share.mod use tandem buffers to handle userfile resync transfers. ... (Full-Disclosure) Re: Eggdrop arbitrary connection vulnerability ... > there is a serious security problem in the popular eggdrop IRCbot. ... > new bot records) to use any linked instance of the bot on the botnet as ... This is not a bug. ... (Bugtraq) Re: Eggdrop arbitrary connection vulnerability ... simply don't give them the flags to add/edit bot records. ... Also, the patch will break some eggdrop TCL scripts, ... A real solution for this relay issue would be to let the two bots ... > hole allows a regular user with enough 'power' (at least power to add ... (Bugtraq) Re: hard to find good shorts in the bullishyist market no mater what aero says...... ... I bot some puts on FDG today...its been in a downward channel and cant ... Bot some on IIG a couple days ago...as you can tell they are doing just ... I made nice profits on HAL calls (175% gain held 2 weeks) ... VITV calls (100% gain held overnight) ... (misc.invest.stocks)