lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <6.0.1.1.2.20040209232709.02dbeec0@mail.gbss.it>
From: giusc at nonsoloirc.com (Giuseppe)
Subject: Eggdrop problem

==========================
Topic: eggdrop share.mod problem
Issue date: 07/02/2004
Severity: remote exploit
Affected versions: 1.6.x <= 1.6.15, others?
======================

Eggdrop is a bot written in C. It is highly configurable
and can be easily expandeded with TCL scripts. It is widely used in almost 
every IRC Network.
Eggdrop can be downloaded from:
      http://www.eggheads.org

Description:
==============
A vulnerability has been discovered in share.mod module provided with 
eggdrop sources.
A tricky attacker can gain the control over (almost) any eggdrop botnet.
the bug rely in the fact that every legitimate bot can gain share status 
even if it
is not marked to share with someone.


Issue Details:
==============
share.mod use tandem buffers to handle userfile resync transfers. tandem 
buffers are checked
minutely by check_expired_tbufs() in order to flush tandem buffers older 
than 15 minutes
(resync_time). check_expired_tbufs() accomplish also to handle userfile 
requests in limbo
(that haven't received yet any response from tandem bot). While doing those 
checks the
programmer has left out some parentheses and the worst has happened:
Here the incriminated snip:

   for (i = 0; i < dcc_total; i++)
     if (dcc[i].type->flags & DCT_BOT) {
       if (dcc[i].status & STAT_OFFERED) {
         if (now - dcc[i].timeval > 120) {
           if (dcc[i].user && (bot_flags(dcc[i].user) & BOT_AGGRESSIVE))
             dprintf(i, "s u?\n");
           /* ^ send it again in case they missed it */
         }
         /* If it's a share bot that hasnt been sharing, ask again */
       } else if (!(dcc[i].status & STAT_SHARE)) {

------- /* Bug now every bot gain the STAT_OFFERED status. */
         if (dcc[i].user && (bot_flags(dcc[i].user) & BOT_AGGRESSIVE))
           dprintf(i, "s u?\n");
         dcc[i].status |= STAT_OFFERED;
------- /* eof Bug */

       }
     }

As we can see, every non sharebot gain STAT_OFFERED status, minutely.

the next step is to gain STAT_SHARE.. we use share_ufyes().
That function doesn't STAT_SHARE check, just STAT_OFFERED.

static void share_ufyes(int idx, char *par)
{
   if (dcc[idx].status & STAT_OFFERED) {
     dcc[idx].status &= ~STAT_OFFERED;
     dcc[idx].status |= STAT_SHARE;
     dcc[idx].status |= STAT_SENDING;
     uf_features_parse(idx, par);
     start_sending_users(idx);
     putlog(LOG_BOTS, "*", "Sending user file send request to %s",
            dcc[idx].nick);
   }
}


bingo!
the bot is now completely recognized as a sharebot and we can adduser.. 
deluser.. chattr..


Notes:
=============
Two bots directly linked, at the moment of link, share a password (handshake)
but probably two bots not directly linked will not. So can be possible to 
fake a
real bot by simply telnetting the bot port, writing the botnick, and 
pressing enter :).




Patch:
=============
Trivial,

-------- Cut Here ---------

--- eggdrop1.6.15/src/mod/share.mod/share.c     Sat Feb  7 05:13:32 2004
+++ eggdrop1.6.15-sp/src/mod/share.mod/share.c  Sat Feb  7 05:43:33 2004
@@ -1457,9 +1457,11 @@
            /* ^ send it again in case they missed it */
          /* If it's a share bot that hasnt been sharing, ask again */
        } else if (!(dcc[i].status & STAT_SHARE)) {
-        if (dcc[i].user && (bot_flags(dcc[i].user) & BOT_AGGRESSIVE))
+       /* Patched from original source by giusc@...s.it <20040207> */
+        if (dcc[i].user && (bot_flags(dcc[i].user) & BOT_AGGRESSIVE))  {
            dprintf(i, "s u?\n");
-        dcc[i].status |= STAT_OFFERED;
+          dcc[i].status |= STAT_OFFERED;
+        }
        }
      }
  }


-------- Cut Here ---------



Exploit:
=============
trivial,
not yet available for kiddies.



Credits:
===============
Luca De Roberto <luca_adsl (at) tin (dot) it>
Daniela Stolfi <cyborgirl (at) libero (dot) it>
Giuseppe Caulo <giusc (at) gbss (dot) it>



Vendor status:
===============
Notified on 07 February 2004






Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ