Penetration Testing mailing list archives
Re: [PEN-TEST] IRC
From: Marius Huse Jacobsen <mahuja () C2I NET>
Date: Sat, 24 Feb 2001 07:20:58 +0100
Let's see... I'll just try to gather all of it together... IRC has two main services, chat, and file transfer. File transfer is, as always, dangerous. Your users might accept files that contain bad things. We're talking of trojans, wipe-harddisk-scripts, etc. Joining #newbie on e.g. undernet is supposedly guaranteed to get you one of those files. Also, there are those "script kiddies" that will, perhaps only because you joined a channel, run exploits (d.o.s. are popular) and generally try to wreak havoc. The perhaps most common thing is disconnecting people from irc. Other less pleasant things should be expected. If a client has a security hole, perhaps someone can even run arbitrary code on the computers - and that is bad. (two assembly codes can lock up a Win9x/M.E. box.) Be careful with scripts as well, they often contain backdoors. (which is very dangerous security-wise)
What about all of the various trojans that do things like post "Hey world, 100.1.1.1 is infected with SubSeven, Come Hack me!" to #hack or the like? And the same thing goes for trojans that simply post your IP, FQDN, and NT SAM file? What if the next Outlook worm that comes around simply does the things mentioned above, then copies the contents of c:\My Documents (or the like) to IRC?
If you're allowing irc, you're also allowing other than (standard) user irc clients to connect to irc. And things like subseven (at least the standard ports) should of course be blocked. I don't know about any trojans that will use a random port and announce it, but be sure there will be.
Maybe Java applets have a place here, or "telnet to IRC" gateways - if people really want to supply IRC through a firewall - do it so that the client (and proxy) software has minimal scope to abuse hosts inside the perimeter.
Just make sure the connection is not from the running applet to the irc server (because there is little making a difference between it and a normal client. both runs and connects from the user computer)
IRC is nasty for security. If you want to allow it, educate your users and be very strict with them. VERY! Put the whip in the corner for them too see ;) Tell your users NEVER to accept DCC sends NEVER to do a DCC send DCC chat is pretty ok IMHO.
Since security rises and falls on users (and admins) this is perhaps the most important point. EDUCATION!!!! DCC chat isn't entirely safe, but the scope of these attacks usually don't go further than locking up the irc client. The summary: A tight security area (net) should not have any problems. However, lax security (including kids coming with their parents to work) will make problems. Very lax security is the by far most common - and it's even worse in my country. The best security would be by using an irc server, in a masq'ed environment (aka NAT). Since all users would have an irc address like 192.168.136.2 (which I think happens to be reserved for such environments, /16) anything directed at that address would never reach its destination across the internet. Then block all access to irc except for it. Listen to all the advice you get, and apply some common sense. ----- Original Message ----- From: "Beauregard, Claude Q" <CQBeauregard () AAAMICHIGAN COM> To: <PEN-TEST () SECURITYFOCUS COM> Sent: Thursday, February 22, 2001 8:48 PM Subject: [PEN-TEST] IRC
Does anyone know where I can get good documentation on the weakness of IRC and how allowing such a service through the firewall can compormise security. Thanks
Current thread:
- [PEN-TEST] IRC Beauregard, Claude Q (Feb 22)
- Re: [PEN-TEST] IRC Drie, Arie (Feb 23)
- Re: [PEN-TEST] IRC Fabio Pietrosanti (Feb 26)
- Re: [PEN-TEST] IRC Helmut Springer (Feb 26)
- Re: [PEN-TEST] IRC Fabio Pietrosanti (Feb 26)
- Re: [PEN-TEST] IRC Marius Huse Jacobsen (Feb 24)
- <Possible follow-ups>
- Re: [PEN-TEST] IRC Brooke, O'neil (EXP) (Feb 22)
- Re: [PEN-TEST] IRC Darwin Mecham (Feb 22)
- Re: [PEN-TEST] IRC Jason Witty (Feb 22)
- Re: [PEN-TEST] IRC Simon Waters (Feb 23)
- Re: [PEN-TEST] IRC Drie, Arie (Feb 23)