[UNIX] Serious Flaw in Unreal IRCd (Server Linking, Svsnick)

From: support@securiteam.com
Date: 07/18/02 

From: support@securiteam.com
To: list@securiteam.com
Date: Thu, 18 Jul 2002 08:10:36 +0200 (CEST)

The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion

When was the last time you checked your server's security?
How about a monthly report?
http://www.AutomatedScanning.com - Know that you're safe.
- - - - - - - - -

  Serious Flaw in Unreal IRCd (Server Linking, Svsnick)
------------------------------------------------------------------------

SUMMARY

Unreal IRCd, one of the most popular IRCd's for UNIX systems, contains
serious security vulnerabilities.

DETAILS

Vulnerable systems:
 * UnrealIRCd version 3.1.1 and prior

Denial of service:
Let us take a quick look at how the Unreal IRCd linking protocol works:

PASS <link password>
SERVER <server name> 1 <description>

When a server logs into another server, for linking, this is what it
sends. The problem does not lie in the login however. When we open a
connection to one of the servers itself using a raw socket, we can add
additional commands. We introduce ourselves as a server using the protocol
above, and after we are logged in successfully, we are given the ability
to perform different commands. Now, there is a method that could let the
server we connected to crash, when sending the string:

JOIN #!

Okay, so what happens? We tried to let the server join this channel
itself, but Unreal IRCd does not seem to like things such as this and the
program returns a segmentation fault. At this way, any operator with
access to OperServ (That is, when services are enabled of course) could
get the server which links the services, down. An example of how is
displayed below:

/operserv RAW JOIN #!

Note that #! could be any value, the bug is in the JOIN command.

Now, in general this vulnerability would not harm a network that quick,
unless IRC operators are malicious and corrupt users.

Svsnick vulnerability:
Another flaw was found in Unreal IRCd, giving IRC ops the possibility to
manipulate their nicks using /svsnick. The /svsnick command is used by
operators for changing nicknames of users, using this procedure:

SVSNICK <nick> <newnick> :<timestamp>

This command does not check for not allowed characters such as the
character " ", (alt+3), which is used by many IRC clients such as mIRC for
coloring. So using these command operators could give their nicks a bit
coloring, using something like:

/svsnick skyrim 12s 2k 12y 2r 12i 2m :1024940702

Although, if the server is linked to a network, the fun will not last
long. Since SVSNICK is only locally not checked, other servers receiving
the message of such a nick do check the nicks, would kill the user for
using malicious characters.

ADDITIONAL INFORMATION

The information has been provided by <mailto:skyrim@hotmail.com> skyrim
msh.

========================================

This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com

====================
====================

DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.

Relevant Pages