Bugtraq mailing list archives

Re: Bug in IRC services

From: achurch () DRAGONFIRE NET (Andy Church)
Date: Fri, 12 Mar 1999 21:29:46 EST


     <rant> ALWAYS INFORM THE AUTHOR FIRST!  This is the first I have heard
of this alleged bug.  If you don't know the author, you can at least inform
someone that would (like IRC server administrators in this case). </rant>

     I'm looking into this now, but I haven't been able to duplicate the
scenario described by the original poster.  Services performs the following
check to determine whether a user is the "same" user as one that had
identified but disconnected (e.g. by a netsplit):

        if (ni->id_timestamp != 0 && u->signon == ni->id_timestamp)

where u->signon is the timestamp field from the NICK or USER message (or 0
if no timestamp is available), and ni->id_timestamp is set equal to
u->signon when the user identifies for their nick.  As far as I can tell,
this should be foolproof unless someone hacks one of the IRC servers to
spit out false timestamps (in which case you've got a problem on your hands
anyway).  I would appreciate any information from the original poster
demonstrating otherwise.

     I should note that the version of Services in use by irc.ptnet.org
appears to be modified; it is possible that their programmer(s) introduced
a bug such as this.  Also, as a side note, DALnet uses a Services program
of their own design, and (to the best of my knowledge) has not incorporated
any of my code.

     I will make a release tonight adding a configuration option to disable
this check and force all users to re-identify after a netsplit.  Check
http://achurch.dragonfire.net/services/ for downloading.  (The release will
also be announced on the Services mailing list; information at the above
URL.)

  --Andy Church
    achurch () dragonfire net
    http://achurch.dragonfire.net/

Hello,
I've just found a big hole in services provided by IRC networks. The
services in question are Chanserv, Nickserv, Memoserv.
I've found them at Portuguese IRC Network aka PTNET but I think these can be
applied to other IRC networks that are based around DALNET code since PTNET
is a modified version of Dalnet code. If this doesn't work in other IRC
networks at least can be a good example of very bad programming in areas
related to security and networking.
So let's start with a bit of background so everyone can understand what
happened...
As I said PTNET is based in Dalnet code and a some time ago started to
provide 3 services to users: Chanserv ( for channels) , Nickserv ( for
registering nicks) and Memoserv (to leave notes to other users).
One of the problems with these services were when a netsplit occured you had
to identify your nick when the servers rejoined so you can imagine how
annoying it can be always having to identify the nick back every network
split.
So it came the new version of the servers this time with a nice feature !
You didnt need to identify the nick when the servers rejoined from the
split ! The first time I saw this I tought about how would the services
recognize me as the true nick before the split... I never had the chance to
test this theory until some days ago.
So one server splitted and I took a nick from one administrator that wasn't
even online ! And for my surprise when the servers rejoined I had full
access to administrator privileges ! It just recognized the nick as a valid
one and gave me the privileges.
This feature as you can see is very very badly coded ( hi tourist, pantmar
and rob_ :) ) and it's a huge security hole because anyone can just ride a
split and take a administrator nick and then do whatever he wants ( you
could get some user nick and what all his memos and do whatever you feel to
his nick).
This type of thing occurs because the server doesn't make any check, only
checking if the nick exists in it's database. One solution of this problem
would be keeping a database of user/ip before the split and then compare
when servers rejoin.
Coding something that is working on a open environment without any checks
makes the coders being guilty in every attack the network suffers. There's
no absolute security in a computer but these stupid things can be avoided
and contribute to a more secure networking environment.
I think Dalnet and other networks use the same services so if they could be
exploitable too.
Hoping my little contribute to be usefull to improve security around the
world,
Fractal Guru

Any doubt feel free to email me!

Greetings to : Smiler, Jaeger, Origin, Psy, Bibo, all TRPS members and the
rest of my friends around the world!
--
Student at Oporto Faculty of Economy - Porto - Portugal
Email: fractalg () lidernet pt
iCQ #: 17994722
WWW soon at  http://www.dual-security.com

Current thread:

Bug in IRC services fractalg (Mar 12)
- Re: Bug in IRC services Kevin Day (Mar 12)
- Re: Bug in IRC services David Schwartz (Mar 12)
- <Possible follow-ups>
- Re: Bug in IRC services Taral (Mar 12)
  - Re: Bug in IRC services Pedro Ribeiro (Mar 13)
    - Bug in IRC services Leal Duarte (Mar 13)
    - erps kasper (Mar 13)
    - GLPro.exe spam fix Kerb (Mar 14)
    - Microsoft's SMTP service broken/stupid Chris Adams (Mar 14)
    - Re: Microsoft's SMTP service broken/stupid Alan Brown (Mar 16)
- Re: Bug in IRC services Andy Church (Mar 12)