[22852] in bugtraq
Re: OpenProjects IRCD allows DNS spoofing
daemon@ATHENA.MIT.EDU (Matthew S. Hallacy)
Sun Oct 14 21:29:15 2001
Date: Sun, 14 Oct 2001 07:28:17 -0600
From: "Matthew S. Hallacy" <poptix@techmonkeys.org>
To: bugtraq@securityfocus.com
Cc: isomer@undernet.org, db@db.net, Jukka Mutex <jmutex@Aphex.NewGold.NET>
Message-ID: <20011014072817.U11846@techmonkeys.org>
Mime-Version: 1.0
Content-Type: text/plain; charset=iso-8859-1
Content-Disposition: inline
Content-Transfer-Encoding: 8bit
In-Reply-To: <200110091845.f99IjJN74537@Aphex.NewGold.NET>; from jmutex@Aphex.NewGold.NET on Tue, Oct 09, 2001 at 06:45:19PM +0000
This is incorrect, ircu has had hostname checking for a very
long time, as well as hybrid. While it's completely possible
that the nameserver used by this server had its cache poisoned, or
that a different bug was found, but I can assure you that it is not
as simple as setting a PTR entry and connecting.
Snippet from s_bsd.c in ircu2.10.05:
/*
* Verify that the host to ip mapping is correct both ways and that
* the ip#(s) for the socket is listed for the host.
*/
if (hp)
{
for (i = 0; hp->h_addr_list[i]; i++)
if (!memcmp(hp->h_addr_list[i], &cptr->ip, sizeof(struct in_addr)))
break;
if (!hp->h_addr_list[i])
{
sendto_op_mask(SNO_IPMISMATCH, "IP# Mismatch: %s != %s[%08x]",
inetntoa(cptr->ip), hp->h_name, *((unsigned int *)hp->h_addr));
hp = NULL;
}
}
Perhaps the person showing this to you was nice enough to poison a
nameserver for you as well.
Further testing:
> /MODE poptrix +s 65535
ùíù 32767 : Server notice mask (0x7fff)
[test.net] IP Mismatch 192.168.100.1 != babble.tc.umn.edu[89975ea0]
[test.net] Client Connecting: poptix [~poptix@192.168.100.1) ]
> /WHOIS poptix
ÚÄÄÄÄÄ---Ä--ÄÄ-ÄÄÄÄÄÄ---Ä--ÄÄ-ÄÄÄÄÄÄÄÄÄ--- -- -
| poptix (~poptix@192.168.100.1) (unknown)
³ ircname : poptix
³ server : test.net (ircu test server)
: idle : 0 hours 4 mins 21 secs (signon: Sun Oct 14 08:22:31 2001)
> /VERSION
ùíù u2.10.05.18.(ipcheck4-5).: test.net M>0B6CeEHIKMStU
[irc@tranq ircd]$ host 192.168.100.1
1.100.168.192.in-addr.arpa. domain name pointer babble.tc.umn.edu.
[irc@tranq ircd]$ host babble.tc.umn.edu
babble.tc.umn.edu. has address 160.94.151.137
Matthew S. Hallacy
> * OpenProjects.NET IRCD DNS Spoofing *
>
> OpenProjects.net's ircd has some truly braindead code re DNS lookups
> and doesn't do a proper double-reverse paranoid lookup. In fact, it
> is possible to spoof any hostname that actually exists on the internet.
>
> Here is how to exploit it.
>
> 1. Choose a Hostname to Spoof.
> It is important to keep in mind that you must choose a hostname that
> actually exists, for our example, we will use 'gary7.nsa.gov'
>
> 2. Point Your Reverse Lookup To The Hostname.
> For our example, we will put the following in our BIND zonefile:
> 47.222.42.209.in-addr.arpa. IN PTR gary7.nsa.gov.
>
> Where we will assume you are using the same IP I used, 209.42.222.47.
>
> 3. Connect To A Vulnerable IRC Server.
> BitchX -H 209.42.222.47 jmutex asimov.openprojects.net
>
> Try a WHOIS on yourself.
>
> /whois jmutex
> | jmutex (jmutex@gary7.nsa.gov) (Government)
> ½ ircname : Jukka Mutex
> ½ server : asimov.openprojects.net (Fremont, CA)
> : idle : 0 hours 0 mins 24 secs (signon: Tue Oct 9 05:32:16 2001)
>
> Credits: jmutex@newgold.net, chrisj@newgold.net, lilo
> Found by: Joseph Mallett
> Affects: OpenProjects u2.10.05.18.(ipcheck4-5)
> Rumored to Affect: Hybrid
>
> Copyright (c) 2001 Joseph Mallett. All rights reserved.
--
