------------------------------------------------------------------ - EXPL-A-2003-007 exploitlabs.com Advisory 007 ------------------------------------------------------------------ -= infobot =- Vunerability: ---------------- 1. Remote Access Product: -------- infobot http://www.infobot.org/ Description of product: ----------------------- "The infobot connects to an Internet Relay Chat (IRC) server, joins some channels (maybe), and begins accumulating factoids. To run one, download the source, uncompress it, untar it, edit the config files, and it up." VUNERABILITY / EXPLOIT ====================== by default there are two user names in infobot.users not commented out quote from from the infobot.conf file... -------------- snip -------------------- # our user list default file (in miscdir) # you may want to change this to $ident.users userList infobot.users ------------ end snip ----------------- defines the user database it seems the authors have provided them selves with a nifty backdoor... or any one who can match these credentals in the user database infobot.users infobot.users =================== snippy ============= # here's an example entry UserEntry oznoid { name "Kevin A. Lenzo"; title "that guy"; flags +ftrmcsSope; pass rrmrxB6U4ryRk; mask *!lenzo@*.speech.cs.cmu.edu; } UserEntry plonk { name "Eep Malloy" title "that guy II"; flags +trmcspo; pass rrmrxB6U4ryRk; mask *!*@*.static.telerama.com } =============== end snippy ================= Vendor Fix: ----------- No fix on 0day Vendor Contact: --------------- lenzo@cs.cmu.edu Concurrent with this advisory Credits: -------- morning_wood@exploitlabs.com http://nothackers.org