Bugtraq mailing list archives
Re: OpenProjects IRCD allows DNS spoofing
From: "Matthew S. Hallacy" <poptix () techmonkeys org>
Date: Sun, 14 Oct 2001 07:28:17 -0600
This is incorrect, ircu has had hostname checking for a very long time, as well as hybrid. While it's completely possible that the nameserver used by this server had its cache poisoned, or that a different bug was found, but I can assure you that it is not as simple as setting a PTR entry and connecting. Snippet from s_bsd.c in ircu2.10.05: /* * Verify that the host to ip mapping is correct both ways and that * the ip#(s) for the socket is listed for the host. */ if (hp) { for (i = 0; hp->h_addr_list[i]; i++) if (!memcmp(hp->h_addr_list[i], &cptr->ip, sizeof(struct in_addr))) break; if (!hp->h_addr_list[i]) { sendto_op_mask(SNO_IPMISMATCH, "IP# Mismatch: %s != %s[%08x]", inetntoa(cptr->ip), hp->h_name, *((unsigned int *)hp->h_addr)); hp = NULL; } } Perhaps the person showing this to you was nice enough to poison a nameserver for you as well. Further testing:
/MODE poptrix +s 65535
ùíù 32767 : Server notice mask (0x7fff) [test.net] IP Mismatch 192.168.100.1 != babble.tc.umn.edu[89975ea0] [test.net] Client Connecting: poptix [~poptix@192.168.100.1) ]
/WHOIS poptix
ÚÄÄÄÄÄ---Ä--ÄÄ-ÄÄÄÄÄÄ---Ä--ÄÄ-ÄÄÄÄÄÄÄÄÄ--- -- - | poptix (~poptix@192.168.100.1) (unknown) ³ ircname : poptix ³ server : test.net (ircu test server) : idle : 0 hours 4 mins 21 secs (signon: Sun Oct 14 08:22:31 2001)
/VERSION
ùíù u2.10.05.18.(ipcheck4-5).: test.net M>0B6CeEHIKMStU [irc@tranq ircd]$ host 192.168.100.1 1.100.168.192.in-addr.arpa. domain name pointer babble.tc.umn.edu. [irc@tranq ircd]$ host babble.tc.umn.edu babble.tc.umn.edu. has address 160.94.151.137 Matthew S. Hallacy
* OpenProjects.NET IRCD DNS Spoofing * OpenProjects.net's ircd has some truly braindead code re DNS lookups and doesn't do a proper double-reverse paranoid lookup. In fact, it is possible to spoof any hostname that actually exists on the internet. Here is how to exploit it. 1. Choose a Hostname to Spoof. It is important to keep in mind that you must choose a hostname that actually exists, for our example, we will use 'gary7.nsa.gov' 2. Point Your Reverse Lookup To The Hostname. For our example, we will put the following in our BIND zonefile: 47.222.42.209.in-addr.arpa. IN PTR gary7.nsa.gov. Where we will assume you are using the same IP I used, 209.42.222.47. 3. Connect To A Vulnerable IRC Server. BitchX -H 209.42.222.47 jmutex asimov.openprojects.net Try a WHOIS on yourself. /whois jmutex | jmutex (jmutex () gary7 nsa gov) (Government) ½ ircname : Jukka Mutex ½ server : asimov.openprojects.net (Fremont, CA) : idle : 0 hours 0 mins 24 secs (signon: Tue Oct 9 05:32:16 2001) Credits: jmutex () newgold net, chrisj () newgold net, lilo Found by: Joseph Mallett Affects: OpenProjects u2.10.05.18.(ipcheck4-5) Rumored to Affect: Hybrid Copyright (c) 2001 Joseph Mallett. All rights reserved.
--
Current thread:
- OpenProjects IRCD allows DNS spoofing Jukka Mutex (Oct 09)
- Re: OpenProjects IRCD allows DNS spoofing Matthew S. Hallacy (Oct 14)