[10111] in bugtraq
Re: Long-standing bug in AustNet IRC network Virtual World
daemon@ATHENA.MIT.EDU (Paul McGovern)
Tue Apr 6 17:42:21 1999
Date: Tue, 6 Apr 1999 00:07:24 -0400
Reply-To: Paul McGovern <isles@XNET.ORG>
From: Paul McGovern <isles@XNET.ORG>
X-To: Grant Bayley <gbayley@AUSMAC.NET>
To: BUGTRAQ@NETSPACE.ORG
In-Reply-To: <Pine.LNX.4.04.9904031547290.10135-100000@ausmac.net>
On Sat, 3 Apr 1999, Grant Bayley wrote:
| Hi folks,
|
| I've documented (with examples) a long standing bug in the AustNet IRC
| network "Virtual World" service which masks user IP address/hostnames for
| the purpose of preventing nukes and other fun things. The admins have
| known about it for some time but seem to want to fix things like LoveOP
| which sends lame love messages rather than helping their users stay
| anonymous and secure, something they tout quite widely on their webpage.
<snip>
| I should mention in passing that other IRC networks like Xnet that offer
| hostname/ip masking do not suffer from the same bug.
It appears that the Relicnet IRC network, which just the other day
implemented their version of 'vworld,' suffers from the same sort of
vulnerability. Quick example:
nyisles_ - isles@relic5364.krad.org
ircname - moderate rock...
server - styx.us.relic.net [Dare thee cross the River of Hate?]
idle - 0h 4m 52s
nyisles_'s real hostname is jive.krad.org. When nyisles_ is /umode -i or
on the same channel as the 'attacker,' and the attacker decides 'well i
dont like this guy and wish to DoS him and/or try to exploit his machine,'
he can simply host -l krad.org (as documented on the 2600.org.au site).
Then, he can /who *<krad.org host here>* until he does, say, /who *jive*
and get:
* H nyisles_ [isles@relic5364.krad.org] (styx.us.relic.net!0)
thus, an attacker who assumes i am using jive.krad.org but wasn't sure has
just been proven that that's really my host and can nuke the crap out of
me or whatever. The same thing works on IPs - relicnet's IP masking is
even easier to guess around since only the last number in the IP in a
non-reversing IP is hidden (i.e. 209.52.169.7 becomes 209.52.169.000, and
the attacker can just /who 209.52.169.1 209.52.169.2 etc. until he hits
209.52.169.7, and then bingo, the /who will respond with:
* H nyisles_ [isles@209.52.169.000] (styx.us.relic.net!0)
and once again give away my real IP and remove my so-called 'blanket of
security.') I verified this on others by telling one of the opers there
his real hostname after he joined with
() The-1-Law (blah@relic5669.dmrtc.net) joined channel #RelicNet
since this ISP's nameservers didn't allow host -l queries, /msg nickserv
list *dmrtc* gave me someone else's real dmrtc.net host as an example, and
after about 30 seconds of /who guessing i had his real host (much to his
dismay). There may be other vulnerable networks, so far xnet.org is the
only network that uses a vworld-type system that i know of that *isn't*
vulnerable.
-=--=--=--=--=--=--=--=--=--=--=--=--=--=-
Paul McGovern (nyisles) - isles@lamer.net
BSBW Public Library - Technical Assistant
IRC Administrator - redemption.xnet.org
IRC Administrator - krad.fef.net
http://www.krad.org (under construction)
-=--=--=--=--=--=--=--=--=--=--=--=--=--=-
