Bugtraq mailing list archives
Re: Ircii-epic: Irc: another funny stuff. In some irc clients dcc
From: rain () INSANE LOONYBIN NET (Ben Winslow)
Date: Sun, 20 Dec 1998 10:35:43 -0500
---------- Forwarded message ---------- Received: from BlackHole.RainNet.Org (rain () BlackHole RainNet Org [192.168.1.3]) by Portal.RainNet.Org (8.8.8/8.8.8/Debian/GNU) with ESMTP id KAA26632 for <rain () portal RainNet Org>; Sun, 20 Dec 1998 10:31:10 -0500 Received: from listopher.concentric.net (listopher.concentric.net [206.173.119.117]) by BlackHole.RainNet.Org (8.8.5/8.8.5) with ESMTP id KAA13517 for <rain () insane loonybin net>; Sun, 20 Dec 1998 10:31:23 -0500 Received: (from majordom@localhost) by listopher.concentric.net (8.8.3/8.8.5) id KAA21767; Sun, 20 Dec 1998 10:06:15 -0500 (EST) Message-ID: <199812201506.JAA27379 () nemesis acronet net> To: ircii-epic () concentric net Subject: Re: Ircii-epic: Irc: another funny stuff. In some irc clients dcc may be hijacked. In-Reply-To: <77AMlEdphjB () kl Snafu DE> Date: Sun, 20 Dec 1998 09:06:07 -0600 From: Jeremy Nelson <jnelson () acronet net> Sender: owner-ircii-epic () concentric net Precedence: bulk
I just found a funny bug playing with some irc-client. DCC-chat may be hijacked...
This is not a bug in the client. It is a function of the operating system. For example, this ``bug'' is not present in OpenBSD because it hands out ports randomly
The trouble comes while clients bind port to accept or request a dcc CHAT/SEND/ or RECEIVE. Being this a simple TCP connection without any ip control.. the way to exploit is trivial.
This is preposterous. The client informs you of the remote IP address connecting. Any half-aware user checks the IP address to make sure that it is reasonable.
Here we go: B , the hi-jacker wants to have fun with A. So he first creates a dcc connection with A, getting the port binded. Now A is under attack since next ports used to create connections will be quite consecutive to the first one. BitchX and IRCepic seem to be affected with this matter. ( other clients???) Now A tries to /dcc chat C, but this is just a bit lagged. ( C maybe a bot? ) B , using the following source, is going to assume the identity of C except for his host. :-)
Folks, this is completely preposterous. This "exploit program" is nothing more than a limited-range port scanner. What this "exploit" boils down to is: "If you establish a DCC connection with me, then if I port-scan you later between when you offer a DCC and when it is received, I will be able to connect to your DCC offer." Well, duh. You could just turn this into a full-blown scanner and scan all day for DCC connections if thats what you wanted to accomplish, and even such a scanner as that would work on OpenBSD, where ports are handed out randomly. Folks, this is not a bug, except to the extent that you completely ignore the IP address on your established DCC transactions. If its not the right IP, close it and try again. And email the abuse contact of the offending ISP about how their users are port scanning you. Sheesh. Jeremy
Current thread:
- Re: Ircii-epic: Irc: another funny stuff. In some irc clients dcc Ben Winslow (Dec 20)