COMMAND

    eggdrop

SYSTEMS AFFECTED

    Systems with eggdrop 1.3.17

PROBLEM

    Paul Boehm several security flaws (and there should be yet them to
    find).  Here's a summary of what he found:

        o) no  bugs  useable  using  irc(dcc excluded) or without  any
           access.
        o) all of these can be  used as a DoS attack(bot killer)  even
           without any further exploit.
        o) some(all?) of them can be used to execute shellcode

    Here's  a  detailed  list  (bot  linking, user command and filesys
    overflows):

    1. bot handshake;  when two bots  in botnet start  linking each of
       them sends their version number.  This looks like this:

        version 1031700 9 [and some silly text]

       Now, if one of the  "bots" sends: version 1031700 9  
       the bot segfaults... buffer overrun no.1

    2. If you do  a .note @dummy  the bot
       segfault's  again.   The  @dummy  is  important  as a different
       routine gets called  if you don't  supply it.   If you use  too
       many a's your  input gets wrapped  and the bot  doesn't get the
       @dummy as part of the command so the overflowable routine never
       gets called.

    3. The ignore command series (.+ignore,.ignore,.-ignore) has  tons
       of overflows... ignore with long command ignore with long host,
       unignore  long  host,  list  long  ignore,  list  ignore  after
       unignoring long host, etc...  which one you trigger  depends if
       you're connected or  not and how  long the string  you're using
       is.  Play around yourself...

    4. .+ban 
       .-ban 

    5. A nice one (only locally exploitable)

        $ export HOSTNAME=3D"your.real.host.name 1024 at least)>"
        $ ./eggdrop config.file
        Segmentation Fault

    6. .jump irc.bla.org 6667 

    [permission to use mkdir command needed for following]
    7. mkdir 
       Works even if you don't have permissions to create dirs here.

    8. mkdir aaaaaaaaaaaaa\ncd aaaaaaaaaaaaaaa\nmkdir aaaaaaaaaaaaaa\ncd aaaa...
       Overflows  the  string  containing  the  current pwd.  You need
       permissions for directory creation.

    9. If a user has a pass that repeats, for example "abcabc" you can
       use "abc" as pass to log into the bot.  so "a" could be used as
       pass instead of "aaaaaa". (found by Eduard Nigsch)

SOLUTION

    This has been sent to the eggdrop mailing list.