[8812] in bugtraq
Re: Ircii-epic: about dcc hijacking...
daemon@ATHENA.MIT.EDU (Illuminatus Primus)
Thu Dec 24 18:36:10 1998
Date: Wed, 23 Dec 1998 15:15:14 -0500
Reply-To: Bugtraq List <BUGTRAQ@NETSPACE.ORG>
From: Illuminatus Primus <vermont@GATE.NET>
To: BUGTRAQ@NETSPACE.ORG
In-Reply-To: <Pine.LNX.4.03.9812221541130.23234-100000@Portal.RainNet.Org>
> >More, it could not be a `bug', anyway we can easly patch irc-client to
> >bind random port.
> This won't change the problem since you can still port-scan a wider range
> to pick up the random ports. This kind of stuff is best left to the
> operating system.
I think you are falsely minimizing the problem and the proposed solution.
While port scanning a range of 20 or so ports can be done continuously
with one iteration taking at most a few seconds, port scanning the entire
range of 64512 possible ports for a random listening socket makes it
considerably more difficult to nail the right one.
Also, I suspect that ircii binds the listening port before advertising it
over IRC. This means that the "race" to connect to the port has as much
time as it takes IRC to relay the message to the intended client.. which
can be quite a long time, as I'm sure we're all aware IRC isn't the
fastest thing.
Why wait for the OS to increase your security, when an easy and compatible
method exists and can be implemented with a small amount of effort?
> >Which is your point of view? hehe
> My point of view is that one should write a script to hook /on dcc_offer,
Checking user@host (via whois) is vulnerable to DNS spoofing. Using the
results of stats L is better, but both methods break compatibility with
irc proxies and FXP-type relaying.
Using a random port over a broad range gives reasonable satisfaction that
the person connecting shares the secret (the random port) with you.. and
they can still connect from whatever IP their configuration reaches you
from. If a change in the protocol was possible, perhaps a large key could
be transmitted as the greeting on the DCC connection to further prove the
identity of the connector.
> Something that hooks /on dcc_offer and then does a $listen() to fool the
> port scanner into connecting to the $listen() socket would be sufficient.
This only defeats a dumb scanner, and needlessly wastes resources.
Pimpin'!
-vermont@gate.net