/* MaD SKiLL 'H' * yay, it's us! * * Visit our website at http://www.madskill.tk for more info * about us. * * Topic: Serious flaws in Unreal IRCd => 3.1.1 * Vulnerabilities found by Zombie * * Shouts go to: MsH(!), DFA, IceDragon, Key (for his kickass * network), r0ut3r * * This article (security advisory) was written by skyrim * 19:55 24-6-02 */ Serious flaw in Unreal IRCd => 3.1.1 - Denial of Service ==================================== Vulnerable: UnrealIRCd => v3.1.1 Tested on : UnrealIRCd v3.1.1, v3.1.2, v3.1.3 Unreal IRCd, one of the most popular IRCd's for UNIX systems, contains serious security vulnerabilities. The one we're discussing at the moment, involves the server linking. We will take a quick look at how the Unreal IRCd linking protocol works: PASS SERVER 1 When a server logs into another server, for linking, this is what it sends. The problem does not lie in the login however. When we open a connection to one of the servers itself using a raw socket, we can add additional commands. We introduce ourself as a server using the protocol above, and after we are logged in succesfully, we are given the ability to perform different commands. Now, there is a method which could let the server we connected to crash, when sending the string: JOIN #! Okay, so what happens? We tried to let the server join this channel itself, but Unreal IRCd doesn't seem to like things such as this and the program returns a segmentation fault. At this way, any operator with access to OperServ (That is, when services are enabled ofcourse) could get the server which links the services, down. An example of how is displayed below: /operserv RAW JOIN #! Note that #! could be any value, the bug is in the JOIN command. Now, in general this vulnerability wouldn't harm a network that quick, unless IRC operators are malicious and corrupt users: This will be very uncommon ofcourse, since the dear network owners choose their operators very carefully ;). Also faking network links is a possibility. Our own advise at the moment is to use encrypted links, which couldn't be faked; Unless you fully change your IRCd, ofcourse. Another flaw in ALL Unreal IRCd versions - Party time! ======================================== Vulnerable: All Unreal IRCd servers with /SVSNICK enabled Tested on : UnrealIRCd v3.1.1, v3.1.2, v3.1.3 Another flaw was found in Unreal IRCd, giving IRC ops the possibility to manipulate their nicks using /svsnick. The /svsnick command is used by opers for changing nicknames of users, using this procedure: SVSNICK : This command does not check for unallowed characters such as the character "", (alt+3), which is used by many IRC clients such as mIRC for coloring. So using this command opers could give their nicks a bit coloring, using something like: /svsnick skyrim 12s2k12y2r12i2m :1024940702 Although, if the server is linked to a network, the fun won't last long. Since SVSNICK is only locally not checked, other servers receiving the message of such a nick and which DO check the nicks, would kill the user for using malicious characters. As you can see, not really a bug, it's more just for fun. MaD SKiLL 'H' http://www.madskill.tk _________________________________________________________________ Get your FREE download of MSN Explorer at http://explorer.msn.com/intl.asp.