ircd 2.9.5 & ircii-pana DNS problems

[lcamtuf () boss staszic waw pl (Michal Zalewski)]

--- PREFACE ---

About month ago, I found interesting problem with ircd up to 2.9.5 (I
haven't newer versions). This bug (?) partially affects irc clients,
including nice NULL-pointer fault in BitchX-74p4 (latest release)...
But, let's start from the beginning:

RFC 1035, "DOMAIN NAMES - IMPLEMENTATION AND SPECIFICATION":

[...]
The labels must follow the rules for ARPANET host names.  They must
start with a letter, end with a letter or digit, and have as interior
characters only letters, digits, and hyphen.  There are also some
restrictions on the length.  Labels must be 63 characters or less.
                             ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^

The same sentence can be found in RFC 1034, "DOMAIN NAMES - CONCEPTS AND
FACILITIES", and, in fact, 63 characters are host name limit for modern
systems. Unfortunately, ircd is 'not quite' able to handle 63-characters
long hostname.

-- IRCD IMPACT --

You need access to your domain name server to create 63-chars long host
name. Please, check twice if it's extactly 63-chars long, including dots
abnd domain name. NOTE: Setting an alias for your machine won't work. You
should modify primary host name.

Now, propagation of your new host name could take a longer period of time
(usually less than one week) - of course if you're testing ircd outside
your own domain.

When everything is done, you can try to enter IRC from prepared machine.
You'll notice something really funny - ircd crops your real name, hostname
and ident! Typical '/whois nick' should return something like that:

/whois lcamtuf
*** on irc via server genome.ml.org (Genome IRC Server)
*** lcamtuf has been idle 26 seconds

Username and host mask has been stripped by ircd! Pretty nice bug. But
(of course!) that's not all. Other irc users can't guess who are you, ban
you from their channel, nor do anything else, because there's no way to
obtain required informations about your connection. Even /who #channel
returns just a nice junk instead of useful data ('never named...' is my
REALNAME):

#test       H@         0   never@named... (~lcamtuf genome.ml.org lcamtuf )

And now, the game begins...

-- BITCHX IMPACT --

That's probably the most interesting thing. When my test session joined
channel, BitchX (popular irc client by panasync) left irc with
following message from ircd:

*** Signoff: lcamtuf (Read error to lcamtuf[]: EOF from client)

But what happened? That's how it looks from BitchX client's side (gdb
output):

Program received signal SIGSEGV, Segmentation fault.
0x80d2a16 in find_bestmatch ()

Useful stack info:

(gdb) info stack
#0  0x80d2a16 in find_bestmatch ()
#1  0x80d5167 in lookup_userlevelc ()
#2  0x80b55af in add_to_channel ()
#3  0x80c3893 in whoreply ()
#4  0x80c571f in parse_server ()
#5  0x80ca8c9 in do_server ()
#6  0x80a584f in io ()
#7  0x80a5492 in get_line ()
#8  0x80a5ca7 in main ()

Hmm, I'm guessing BitchX dies due to the NULL-pointer when trying to
determine my host name (and user level).

-- VUNERABLE PLATFORMS --

I tested it only on Linux in my local network, because I have no access to
other nameservers, but it seems to be reproductable.

-- FIX --

Nope yet (?).

_______________________________________________________________________
Michal Zalewski [lcamtuf () boss staszic waw pl] <= finger for pub PGP key
Iterowac jest rzecza ludzka, wykonywac rekursywnie - boska [P. Deutsch]
[echo "\$0&\$0">_;chmod +x _;./_] <=------=> [tel +48 (0) 22 813 25 86]