[10093] in bugtraq
Long-standing bug in AustNet IRC network Virtual World
daemon@ATHENA.MIT.EDU (Grant Bayley)
Mon Apr 5 13:21:54 1999
Date: Sat, 3 Apr 1999 15:55:31 +1000
Reply-To: Grant Bayley <gbayley@AUSMAC.NET>
From: Grant Bayley <gbayley@AUSMAC.NET>
To: BUGTRAQ@NETSPACE.ORG
Hi folks,
I've documented (with examples) a long standing bug in the AustNet IRC
network "Virtual World" service which masks user IP address/hostnames for
the purpose of preventing nukes and other fun things. The admins have
known about it for some time but seem to want to fix things like LoveOP
which sends lame love messages rather than helping their users stay
anonymous and secure, something they tout quite widely on their webpage.
In short, it uses a trivial but brute force attack using /who queries even
when the user is set to +i (invisible).
I've documented it at:
http://www.2600.org.au/austnet-hack.html
And there is a plain text version at:
http://www.2600.org.au/austnet-hack.txt
I should mention in passing that other IRC networks like Xnet that offer
hostname/ip masking do not suffer from the same bug.
Have fun.
Grant
___________________________________________________
Grant Bayley
- Network Administrator, Batey Kazoo Communications
- Administrator, The AusMac Archive
http://www.ausmac.net/ gbayley@ausmac.net
__________________________________________________
