Re: Ircii-epic: Irc: another funny stuff. In some irc clients dcc

[rain () INSANE LOONYBIN NET (Ben Winslow)]

---------- Forwarded message ----------
Received: from BlackHole.RainNet.Org (rain () BlackHole RainNet Org [192.168.1.3])
        by Portal.RainNet.Org (8.8.8/8.8.8/Debian/GNU) with ESMTP id KAA26632
        for <rain () portal RainNet Org>; Sun, 20 Dec 1998 10:31:10 -0500
Received: from listopher.concentric.net (listopher.concentric.net
    [206.173.119.117])
        by BlackHole.RainNet.Org (8.8.5/8.8.5) with ESMTP id KAA13517
        for <rain () insane loonybin net>; Sun, 20 Dec 1998 10:31:23 -0500
Received: (from majordom@localhost)
        by listopher.concentric.net (8.8.3/8.8.5)
        id KAA21767; Sun, 20 Dec 1998 10:06:15 -0500 (EST)
Message-ID: <199812201506.JAA27379 () nemesis acronet net>
To: ircii-epic () concentric net
Subject: Re: Ircii-epic: Irc: another funny stuff. In some irc clients dcc may
    be hijacked.
In-Reply-To: <77AMlEdphjB () kl Snafu DE>
Date: Sun, 20 Dec 1998 09:06:07 -0600
From: Jeremy Nelson <jnelson () acronet net>
Sender: owner-ircii-epic () concentric net
Precedence: bulk

> I just found a funny bug playing with some irc-client. DCC-chat may be
> hijacked...

This is not a bug in the client.  It is a function of the operating system.
For example, this ``bug'' is not present in OpenBSD because it hands out
ports randomly

> The trouble comes while clients bind port to accept or request a dcc
> CHAT/SEND/ or RECEIVE.  Being this a simple TCP connection without any ip
> control.. the way to exploit is trivial.

This is preposterous.  The client informs you of the remote IP address
connecting.  Any half-aware user checks the IP address to make sure
that it is reasonable.

> Here we go:
>
> B , the hi-jacker wants to have fun with A. So he first creates
> a dcc connection with A, getting the port binded.
>
> Now A is under attack since next ports used to create connections will
> be quite consecutive to the first one. BitchX and IRCepic seem to be
> affected with this matter. ( other clients???)
>
> Now A tries to /dcc chat C, but this is just a bit lagged. ( C maybe a
> bot? ) B , using the following source, is going to assume the identity of C
> except for his host. :-)

Folks, this is completely preposterous.  This "exploit program" is nothing
more than a limited-range port scanner.  What this "exploit" boils down
to is:

        "If you establish a DCC connection with me, then if I port-scan
         you later between when you offer a DCC and when it is received,
         I will be able to connect to your DCC offer."

Well, duh.  You could just turn this into a full-blown scanner and scan all
day for DCC connections if thats what you wanted to accomplish, and even
such a scanner as that would work on OpenBSD, where ports are handed out
randomly.

Folks, this is not a bug, except to the extent that you completely ignore
the IP address on your established DCC transactions.  If its not the right
IP, close it and try again.  And email the abuse contact of the offending
ISP about how their users are port scanning you.

Sheesh.
Jeremy