Re: [PEN-TEST] IRC

[Marius Huse Jacobsen <mahuja () C2I NET>]

Let's see... I'll just try to gather all of it together...


IRC has two main services, chat, and file transfer.

File transfer is, as always, dangerous. Your users might accept files that
contain bad things. We're talking of trojans, wipe-harddisk-scripts, etc.
Joining #newbie on e.g. undernet is supposedly guaranteed to get you one of
those files.

Also, there are those "script kiddies" that will, perhaps only because you
joined a channel, run exploits (d.o.s. are popular) and generally try to
wreak havoc. The perhaps most common thing is disconnecting people from irc.
Other less pleasant things should be expected.

If a client has a security hole, perhaps someone can even run arbitrary code
on the computers - and that is bad. (two assembly codes can lock up a
Win9x/M.E. box.) Be careful with scripts as well, they often contain
backdoors. (which is very dangerous security-wise)

> What about all of the various trojans that do things like post "Hey world,
> 100.1.1.1 is infected with SubSeven, Come Hack me!" to #hack or the like?
> And the same thing goes for trojans that simply post your IP, FQDN, and NT
> SAM file?  What if the next Outlook worm that comes around simply does the
> things mentioned above, then copies the contents of c:\My Documents (or the
> like) to IRC?

If you're allowing irc, you're also allowing other than (standard) user irc
clients to connect to irc. And things like subseven (at least the standard
ports) should of course be blocked. I don't know about any trojans that will
use a random port and announce it, but be sure there will be.

> Maybe Java applets have a place here, or "telnet to IRC" gateways - if
> people really want to supply IRC through a firewall - do it so that the
> client (and proxy) software has minimal scope to abuse hosts inside the
> perimeter.

Just make sure the connection is not from the running applet to the irc
server (because there is little making a difference between it and a normal
client. both runs and connects from the user computer)


> IRC is nasty for security. If you want to allow it, educate your users and
> be very strict with them. VERY! Put the whip in the corner for them too
> see ;)
> Tell your users
> NEVER to accept DCC sends
> NEVER to do a DCC send
> DCC chat is pretty ok IMHO.

Since security rises and falls on users (and admins) this is perhaps the
most important point. EDUCATION!!!!
DCC chat isn't entirely safe, but the scope of these attacks usually don't
go further than locking up the irc client.



The summary:

A tight security area (net) should not have any problems. However, lax
security (including kids coming with their parents to work) will make
problems. Very lax security is the by far most common - and it's even worse
in my country.

The best security would be by using an irc server, in a masq'ed environment
(aka NAT). Since all users would have an irc address like 192.168.136.2
(which I think happens to be reserved for such environments, /16) anything
directed at that address would never reach its destination across the
internet. Then block all access to irc except for it.

Listen to all the advice you get, and apply some common sense.


----- Original Message -----
From: "Beauregard, Claude Q" <CQBeauregard () AAAMICHIGAN COM>
To: <PEN-TEST () SECURITYFOCUS COM>
Sent: Thursday, February 22, 2001 8:48 PM
Subject: [PEN-TEST] IRC


> Does anyone know where I can get good documentation on the weakness of IRC
> and how allowing such a service through the firewall can compormise
> security.
>
> Thanks