<rant> ALWAYS INFORM THE AUTHOR FIRST! This is the first I have heard of this alleged bug. If you don't know the author, you can at least inform someone that would (like IRC server administrators in this case). </rant> I'm looking into this now, but I haven't been able to duplicate the scenario described by the original poster. Services performs the following check to determine whether a user is the "same" user as one that had identified but disconnected (e.g. by a netsplit): if (ni->id_timestamp != 0 && u->signon == ni->id_timestamp) where u->signon is the timestamp field from the NICK or USER message (or 0 if no timestamp is available), and ni->id_timestamp is set equal to u->signon when the user identifies for their nick. As far as I can tell, this should be foolproof unless someone hacks one of the IRC servers to spit out false timestamps (in which case you've got a problem on your hands anyway). I would appreciate any information from the original poster demonstrating otherwise. I should note that the version of Services in use by irc.ptnet.org appears to be modified; it is possible that their programmer(s) introduced a bug such as this. Also, as a side note, DALnet uses a Services program of their own design, and (to the best of my knowledge) has not incorporated any of my code. I will make a release tonight adding a configuration option to disable this check and force all users to re-identify after a netsplit. Check http://achurch.dragonfire.net/services/ for downloading. (The release will also be announced on the Services mailing list; information at the above URL.) --Andy Church achurchat_private http://achurch.dragonfire.net/ >Hello, >I've just found a big hole in services provided by IRC networks. The >services in question are Chanserv, Nickserv, Memoserv. >I've found them at Portuguese IRC Network aka PTNET but I think these can be >applied to other IRC networks that are based around DALNET code since PTNET >is a modified version of Dalnet code. If this doesn't work in other IRC >networks at least can be a good example of very bad programming in areas >related to security and networking. >So let's start with a bit of background so everyone can understand what >happened... >As I said PTNET is based in Dalnet code and a some time ago started to >provide 3 services to users: Chanserv ( for channels) , Nickserv ( for >registering nicks) and Memoserv (to leave notes to other users). >One of the problems with these services were when a netsplit occured you had >to identify your nick when the servers rejoined so you can imagine how >annoying it can be always having to identify the nick back every network >split. >So it came the new version of the servers this time with a nice feature ! >You didnt need to identify the nick when the servers rejoined from the >split ! The first time I saw this I tought about how would the services >recognize me as the true nick before the split... I never had the chance to >test this theory until some days ago. >So one server splitted and I took a nick from one administrator that wasn't >even online ! And for my surprise when the servers rejoined I had full >access to administrator privileges ! It just recognized the nick as a valid >one and gave me the privileges. >This feature as you can see is very very badly coded ( hi tourist, pantmar >and rob_ :) ) and it's a huge security hole because anyone can just ride a >split and take a administrator nick and then do whatever he wants ( you >could get some user nick and what all his memos and do whatever you feel to >his nick). >This type of thing occurs because the server doesn't make any check, only >checking if the nick exists in it's database. One solution of this problem >would be keeping a database of user/ip before the split and then compare >when servers rejoin. >Coding something that is working on a open environment without any checks >makes the coders being guilty in every attack the network suffers. There's >no absolute security in a computer but these stupid things can be avoided >and contribute to a more secure networking environment. >I think Dalnet and other networks use the same services so if they could be >exploitable too. >Hoping my little contribute to be usefull to improve security around the >world, >Fractal Guru > >Any doubt feel free to email me! > >Greetings to : Smiler, Jaeger, Origin, Psy, Bibo, all TRPS members and the >rest of my friends around the world! >-- >Student at Oporto Faculty of Economy - Porto - Portugal >Email: fractalgat_private >iCQ #: 17994722 >WWW soon at http://www.dual-security.com
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 14:38:57 PDT