[8801] in bugtraq

home help back first fref pref prev next nref lref last post

Re: DCC HiJacking patch for BitchX 75p1

daemon@ATHENA.MIT.EDU (YounGoat)
Wed Dec 23 19:49:01 1998

Date: 	Tue, 22 Dec 1998 13:48:06 -0500
Reply-To: Bugtraq List <BUGTRAQ@NETSPACE.ORG>
From: YounGoat <youngoat@ALFHEIM.NET>
To: BUGTRAQ@NETSPACE.ORG
In-Reply-To:  <Pine.LNX.4.00.9812221847050.2419-100000@blast>

I can see this being exploited.  I'll give you an example.  You have A who is
trying to hijack B's DCC to C who is a bot.

A dcc chat's B.  (he gets the port that that B uses.  And gives that to
his hijack program which will then go thorough the next 150 ports or so over and
over)

A asks B if he is able to DCC chat the bot C.  And asks B to try.

When B tries to dcc the bot, guess who is right there ready to connect to B and
give him a "Enter your password."  prompt?

This is not meant to be a guide for script kiddies, but I do believe this is
certainly a problem, and the only sure fix is to check the hostname of the
person connecting or use a password that is given during the DCC request for
authentication.  Since the latter would involve changing the IRC protocol, I'd
say irc clients are just going to have to verify that the right person is
connecting.  With that, the worst thing that could happen is that somebody
could keep connecting and the irc client would keep rejecting him, possibly
causing a DOS.

----------------------------------
E-Mail: YounGoat <youngoat@alfheim.net>
Date: 22-Dec-98
Time: 13:39:09

This message was sent by XFMail
----------------------------------


On 23-Dec-98 mikey wrote:
> Yes, this might help. But why worry? they would need to port scan, and
> find the port quicker than the other client can connect. Do you think they
> can do this all the time? Or Barely ever? So this is not a problem, I
> don't understand why anyone even got jumpy over it. I could do the same
> with ftp, ftp opens ports waiting to recieve files. Do you see people
> making patches for that?
>
> On Sun, 18 Oct 1998, Alessio Orlandi wrote:
>
>> Hi all,
>>    as recently discovered, with a simple port scan you can hijack some
>> of the BitchX dcc
>> connections. This due to the port assigning on the requesting client.
>> Here follows a really short patch that will fix the problem. The problem
>> is here:
>> BitchX when creates a DCC connection (listening socket) uses the
>> functions
>> connect_by_number (defined in network.c file). Passing as port 0
>> This means that the OS will determine the port. Now.. for mental order..
>> the ports will be quiet consecutive. Bad.. Bad... So.. let's add a
>> random value to the port returned by the system. All is now fixed.
>> Patch follows
>> -----------------------------------------------------------------------------
>> ------------
>>
>> Regards
>>                                                           Alessio
>> "NaiL^d0d@ircnet/ircity" Orlandi
>> Thanks to: hackers@ircity Litos (you one of my best friend), Nervous,
>> awgn (hehe),
>>                                         Lordfelix (salam), Raptor,
>> BlackJam, kasko, antirez
>>          and  hackers.it@ircnet Soren, NaiF, Bonjo
>> -----------------------------------------------------------------------------
>> -----------
>>
>>
>>

home help back first fref pref prev next nref lref last post