---------- Forwarded message ---------- Received: from BlackHole.RainNet.Org (rainat_private [192.168.1.3]) by Portal.RainNet.Org (8.8.8/8.8.8/Debian/GNU) with ESMTP id KAA26632 for <rainat_private>; Sun, 20 Dec 1998 10:31:10 -0500 Received: from listopher.concentric.net (listopher.concentric.net [206.173.119.117]) by BlackHole.RainNet.Org (8.8.5/8.8.5) with ESMTP id KAA13517 for <rainat_private>; Sun, 20 Dec 1998 10:31:23 -0500 Received: (from majordom@localhost) by listopher.concentric.net (8.8.3/8.8.5) id KAA21767; Sun, 20 Dec 1998 10:06:15 -0500 (EST) Message-ID: <199812201506.JAA27379at_private> To: ircii-epicat_private Subject: Re: Ircii-epic: Irc: another funny stuff. In some irc clients dcc may be hijacked. In-Reply-To: Your message of "19 Dec 1998 22:17:00 +0200." <77AMlEdphjBat_private> Date: Sun, 20 Dec 1998 09:06:07 -0600 From: Jeremy Nelson <jnelsonat_private> Sender: owner-ircii-epicat_private Precedence: bulk >I just found a funny bug playing with some irc-client. DCC-chat may be >hijacked... This is not a bug in the client. It is a function of the operating system. For example, this ``bug'' is not present in OpenBSD because it hands out ports randomly >The trouble comes while clients bind port to accept or request a dcc >CHAT/SEND/ or RECEIVE. Being this a simple TCP connection without any ip >control.. the way to exploit is trivial. This is preposterous. The client informs you of the remote IP address connecting. Any half-aware user checks the IP address to make sure that it is reasonable. >Here we go: > >B , the hi-jacker wants to have fun with A. So he first creates >a dcc connection with A, getting the port binded. > >Now A is under attack since next ports used to create connections will >be quite consecutive to the first one. BitchX and IRCepic seem to be >affected with this matter. ( other clients???) > >Now A tries to /dcc chat C, but this is just a bit lagged. ( C maybe a >bot? ) B , using the following source, is going to assume the identity of C >except for his host. :-) Folks, this is completely preposterous. This "exploit program" is nothing more than a limited-range port scanner. What this "exploit" boils down to is: "If you establish a DCC connection with me, then if I port-scan you later between when you offer a DCC and when it is received, I will be able to connect to your DCC offer." Well, duh. You could just turn this into a full-blown scanner and scan all day for DCC connections if thats what you wanted to accomplish, and even such a scanner as that would work on OpenBSD, where ports are handed out randomly. Folks, this is not a bug, except to the extent that you completely ignore the IP address on your established DCC transactions. If its not the right IP, close it and try again. And email the abuse contact of the offending ISP about how their users are port scanning you. Sheesh. Jeremy
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 14:25:20 PDT