[NEWS] Bypassing UnrealIRCd IP Cloaking
From: SecuriTeam (support_at_securiteam.com)
Date: 07/07/04
- Previous message: SecuriTeam: "[UNIX] Content-Type XSS Vulnerability in Multiple Webmail Programs"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
To: list@securiteam.com Date: 7 Jul 2004 16:30:39 +0200
The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion
The SecuriTeam alerts list - Free, Accurate, Independent.
Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html
- - - - - - - - -
Bypassing UnrealIRCd IP Cloaking
------------------------------------------------------------------------
SUMMARY
<http://www.unrealircd.com/> UnrealIRCd is a popular IRC server. One of
the features it provides is called 'ip cloaking'. The purpose of this
system is to prevent hostile IRC users from getting the IP address of
other users. Due to weak hashing function, brute forcing of the cloaked IP
is easy.
DETAILS
Vulnerable Systems:
* UnrealIRCd version 3.2 and prior versions
Immune Systems:
* UnrealIRCd version 3.2.1
In order to prevent possible brute force attack on the client IP, the
Unreal IRC server uses three 'keys'. However, the hash function is weak.
This makes it possible to recover the keys of several IRC networks by
knowing only one clear text and hashed IP, and another hashed IP.
Vulnerable Code:
The IPv4 hashing scheme is the most vulnerable. Code from cloak.c follows:
/* Do IPv4 cloaking here */
strlcpy(h1, host, sizeof h1);
i = 0;
for (i = 0, p = strtok(h1, "."); p && (i <= 3); p = strtok(NULL, "."),
i++)
{
strncpy(h2[i], p, 4);
}
ircsprintf(h3, "%s.%s", h2[0], h2[1]);
l[0] = ((our_crc32(h3, strlen(h3)) + KEY) ^ KEY2) + KEY3;
ircsprintf(h3, "%s.%s.%s", h2[0], h2[1], h2[2]);
l[1] = ((KEY2 ^ our_crc32(h3, strlen(h3))) + KEY3) ^ KEY;
l[4] = our_crc32(host, strlen(host));
l[2] = ((l[4] + KEY3) ^ KEY) + KEY2;
l[2] &= 0x3FFFFFFF;
l[0] &= 0x7FFFFFFF;
l[1] &= 0xFFFFFFFF;
snprintf(cloaked, sizeof cloaked, "%lX.%lX.%lX.IP", l[2], l[1], l[0]);
free(host);
return cloaked;
In the code above:
h2[0], h2[1], h2[2], h2[3] contain the four bytes of the original IP.
l[0], l[1], l[2] contain the hashed IP.
Thus:
l[0] = (((crc32("1.2") + key1) ^ key2) + key3) & 0x7FFFFFFF;
l[1] = (((crc32("1.2.3") ^ key2) + key3) ^ key1) & 0xFFFFFFFF;
l[2] = (((crc32("1.2.3.4") + key3) ^ key1) + key2) & 0x3FFFFFFF;
crc32(xxx) and l[x] are known. The three keys are used in such a way that
the n-th bit of any key does not affect bits bellow n in the hash.
A program that runs a brute force attack one bit at a time was written as
a Proof of Concept. It takes less than one second to do that on a Pentium4
1.8ghz.
Doing this on a known IP produces around 2000 possible key combinations.
It is then trivial to test them all in order to find the working ones.
ADDITIONAL INFORMATION
The information has been provided by <mailto:bartavelle@bandecon.com>
bartavelle.
The original article can be found at:
<http://www.bandecon.com/advisory/unreal.txt>
http://www.bandecon.com/advisory/unreal.txt
========================================
This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com
====================
====================
DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.
- Previous message: SecuriTeam: "[UNIX] Content-Type XSS Vulnerability in Multiple Webmail Programs"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
