Bugtraq mailing list archives
Re: Long-standing bug in AustNet IRC network Virtual World
From: isles () XNET ORG (Paul McGovern)
Date: Tue, 6 Apr 1999 00:07:24 -0400
On Sat, 3 Apr 1999, Grant Bayley wrote: | Hi folks, | | I've documented (with examples) a long standing bug in the AustNet IRC | network "Virtual World" service which masks user IP address/hostnames for | the purpose of preventing nukes and other fun things. The admins have | known about it for some time but seem to want to fix things like LoveOP | which sends lame love messages rather than helping their users stay | anonymous and secure, something they tout quite widely on their webpage. <snip> | I should mention in passing that other IRC networks like Xnet that offer | hostname/ip masking do not suffer from the same bug. It appears that the Relicnet IRC network, which just the other day implemented their version of 'vworld,' suffers from the same sort of vulnerability. Quick example: nyisles_ - isles () relic5364 krad org ircname - moderate rock... server - styx.us.relic.net [Dare thee cross the River of Hate?] idle - 0h 4m 52s nyisles_'s real hostname is jive.krad.org. When nyisles_ is /umode -i or on the same channel as the 'attacker,' and the attacker decides 'well i dont like this guy and wish to DoS him and/or try to exploit his machine,' he can simply host -l krad.org (as documented on the 2600.org.au site). Then, he can /who *<krad.org host here>* until he does, say, /who *jive* and get: * H nyisles_ [isles () relic5364 krad org] (styx.us.relic.net!0) thus, an attacker who assumes i am using jive.krad.org but wasn't sure has just been proven that that's really my host and can nuke the crap out of me or whatever. The same thing works on IPs - relicnet's IP masking is even easier to guess around since only the last number in the IP in a non-reversing IP is hidden (i.e. 209.52.169.7 becomes 209.52.169.000, and the attacker can just /who 209.52.169.1 209.52.169.2 etc. until he hits 209.52.169.7, and then bingo, the /who will respond with: * H nyisles_ [isles@209.52.169.000] (styx.us.relic.net!0) and once again give away my real IP and remove my so-called 'blanket of security.') I verified this on others by telling one of the opers there his real hostname after he joined with () The-1-Law (blah () relic5669 dmrtc net) joined channel #RelicNet since this ISP's nameservers didn't allow host -l queries, /msg nickserv list *dmrtc* gave me someone else's real dmrtc.net host as an example, and after about 30 seconds of /who guessing i had his real host (much to his dismay). There may be other vulnerable networks, so far xnet.org is the only network that uses a vworld-type system that i know of that *isn't* vulnerable. -=--=--=--=--=--=--=--=--=--=--=--=--=--=- Paul McGovern (nyisles) - isles () lamer net BSBW Public Library - Technical Assistant IRC Administrator - redemption.xnet.org IRC Administrator - krad.fef.net http://www.krad.org (under construction) -=--=--=--=--=--=--=--=--=--=--=--=--=--=-
Current thread:
- Re: Possible local DoS in sendmail Anonymous (Mar 29)
- <Possible follow-ups>
- Possible local DoS in sendmail Lukasz Luzar (Apr 01)
- Re: Possible local DoS in sendmail KuRuPTioN (Apr 01)
- Re: Possible local DoS in sendmail Gregory Neil Shapiro (Apr 02)
- Re: Possible local DoS in sendmail Michał Szymański (Apr 02)
- Long-standing bug in AustNet IRC network Virtual World Grant Bayley (Apr 02)
- Re: Long-standing bug in AustNet IRC network Virtual World Paul McGovern (Apr 05)
- Re: Long-standing bug in AustNet IRC network Virtual World Henrik Edlund (Apr 06)
- Re: Long-standing bug in AustNet IRC network Virtual World Sean Kelly (Apr 07)
- Netcache snmp behaviour Marco Davids (Apr 06)
- Procmail version 3.13.1 released Philip Guenther (Apr 06)
- Digital Unix 4.0E /var permission Harhalakis Stefanos (Apr 04)
- ucd snmp vacm's public community access auth probs? + + (Apr 06)
- Re: Digital Unix 4.0E /var permission implosion (Apr 06)
- Re: Digital Unix 4.0E /var permission Harhalakis Stefanos (Apr 06)
- rsync 2.3.1 release - security fix Andrew Tridgell (Apr 07)