FPSC-IRCD.txt

` The FPSC-IRCD.txt advisory.  
---------------------------  
By: syg of the FPSC @3/7/98  
[email protected]  
http://FPSC.hemp.net  
  
Program affected:  
IRCD  
  
Versions affected:  
All hybrid and other EFnet IRCD versions. Probably others.  
  
Problem:  
According to the date of this file, thier is a few bugs in hybrid IRCD  
and maybe others. I've checked DALnet's source and it seems thiers is fixed  
and not affected. The bug is in match.c of the source code and starts on line  
204 at 'tolowertab[]'. Note the line that consists of the following:  
"'t', 'u', 'v', 'w', 'x', 'y', 'z', '{', '|', '}', '~',". Then go to line 238  
in match.c to 'touppertab[]'. Note the line that reads:  
"'T', 'U', 'V', 'W', 'X', 'Y', 'Z', '[', '\\', ']', '^'," and look at the two  
lines. If you notice, it takes the '{' char and defines its uppercase char as  
'[' as along with defining '|' to '\', '}' to ']', and '~' to '^'. What this  
means is thier the same characters in channel names and nicknames.  
Now what can you do with this in such a way it would be a problem?  
You can spy on channels that consist of any one of those 8 characters below:  
1) { --Defined as LowerCase [  
2) [ --Defined as UpperCase {  
3) } --Defined as LowerCase ]  
4) ] --Defined as UpperCase }  
5) | --Defined as LowerCase \  
6) \ --Defined as UpperCase |  
7) ~ --Defined as LowerCase ^  
8) ^ --Defined as UpperCase ~  
This problem and mIRC make a dangerous combination. Lets say a bunch of your  
friends hang in #mIRC] and you run BitchX. All you have to do is join  
#mIRC} and thier mIRC clients wont see you join the channel which means you  
are a ghost and therefore are invisible. Another example would be...  
two people are in #Love^2 and you ran BitchX. All you would have to do is  
join #Love~2 and they wont see you join, therefore you can spy on thier  
conversation all night long. Now if one of the mIRC people happened to type  
"/names #mIRC]" or "/names #Love^2" you would magically pop up in the nick  
list of the channel. That is also the same if someone joins the channel  
after you have joined, you will show up in thier names list therefore it will  
put you in thier nick list in the channel window. Be creative and have fun.  
  
  
Logs:  
The "->->->" is me telling you whats going on.  
->->-> In mIRC I typed /join #[ with the nick mIRC-1  
*** Now talking in #[  
->->-> No one is in the channel but me in the nick list.  
->->-> Then I looked in my status window and got the join info.  
#[ @mIRC-1  
#[ End of /NAMES list.  
#[ created on Thu Feb 25 14:13:45  
->->-> Then in another mIRC client I typed /join #{ with the nick mIRC-2  
*** Now talking in #{  
->->-> No one is in the channel but me in the nick list.  
->->-> Then I looked in my status window and got the join info.  
#[ mIRC-2 @mIRC-1  
#{ End of /NAMES list.  
#[ +  
#[ created on Thu Feb 25 14:13:45  
->->-> NOTE: I can't see mIRC-1 in the nick list in the channel.  
->->-> I also can't see mIRC-2 in mIRC-1's nick list.  
->->-> So basically it's like two different channels when you are in mIRC.  
->->-> Let's now bring bitchX into play...  
->->-> In BitchX under the nick BitchX-1 i typed /join #[  
BitchX-1 [[email protected]] has joined #[  
[Users(#[:3)]  
[ BitchX-1 ] [ mIRC-2 ] [@mIRC-1 ]   
Channel #[ was created at Thu Feb 25 14:13:45 1999  
BitchX: Join to #[ was synced in 0.391 secs!  
->->-> Now under mIRC-1's client I saw...  
*** BitchX-1 ([email protected]) has joined #[  
->->-> Which I should have because we are both in #[  
->->-> But on the other hand, under mIRC-2's client( The one in #{ )...  
->->-> I didn't see BitchX-1 join.  
->->-> And as you can see, BitchX-1 see's mIRC-2 in the channel #[  
->->-> Now let me type with all three of them.  
->->-> Under all three clients I will type thier nick and chan to the channel.  
->->-> Under BitchX-1's client I saw all three clients talk...  
<mIRC-1> mIRC-1 #[  
<mIRC-2> mIRC-2 #{  
<BitchX-1> BitchX-1 #[  
->->-> Under mIRC-1's client I saw myself and BitchX-1 type (We are both in #[)  
<mIRC-1> mIRC-1 #[  
<BitchX-1> BitchX-1 #[  
->->-> Under mIRC-2's client I saw myself type only ( Im in #{ )  
<mIRC-2> mIRC-2 #{  
->->-> As you can see mIRC-2 is being spy'd on by the BitchX client.  
->->-> End of logs.  
  
Sollution:  
The fix would be to simply edit /src/match.c of the source code. DALnet  
seems to have a nice match.c at ftp.dal.net in df467.tgz if you EFnet staff  
need any ideas. We all hope to see this fixed in your next release of hybrid.  
  
Final Notes:  
IRCD coders and staff members of all networks and all IRCD versions need  
to check your source for this bug and fix it before it gets abused... maybe it  
was you in #^locals^ giving your phone number out to a friend which was being  
spy'd on by another local enemy. Other than that, everyone keep up the good  
work and so long. Also, thanks to sate for helping me test this out.  
Questions/jobs/info/etc: [email protected] -syg  
  
-----------------------------------------------------------------------------------  
  
Date: Tue, 9 Mar 1999 19:01:57 +0000  
From: Bjarni R. Einarsson <[email protected]>  
To: [email protected]  
Subject: Re: The FPSC-IRCD.txt advisory  
  
On 1999-03-07, 16:20:59 (-0800), syg FPSC wrote:  
>  
> lines. If you notice, it takes the '{' char and defines its uppercase char as  
> '[' as along with defining '|' to '\', '}' to ']', and '~' to '^'. What this  
> means is thier the same characters in channel names and nicknames.  
  
In RFC1459 chapter 2.2 says:  
  
Because of IRC's scandanavian origin, the characters {}| are  
considered to be the lower case equivalents of the characters []\,  
respectively.  
  
So, what we have here is 75% a mIRC bug, not an IRCD bug. I say 75% because  
the RFC doesn't mention '~' and '^', which probably shouldn't be considered  
equivalent by the server.  
  
Did you (the authors of this advisory) bother to notify the maintainers of  
these IRC servers and mIRC in particulaur?  
  
(if RFC1459 has been superceded, just ignore me - but it hasn't, has it?)  
  
  
> Final Notes:  
> IRCD coders and staff members of all networks and all IRCD versions need  
> to check your source for this bug and fix it before it gets abused... maybe it  
  
IRC coders and staff members using mIRC deserve what they get. :-) Happily,  
the original advisory contained a work-around: use BitchX, ircII or some  
other properly implemented client.  
  
--  
Bjarni R. Einarsson [ PGP: 02764305 / B7A3AB89 ]  
[email protected] -=- http://www.mmedia.is/~bre/ -=- Juggler@IRCnet  
  
* http://www.europarl.eu.int/dg4/stoa/en/publi/166499/execsum.htm *  
Encrypt the covert narcotics, launder nuclear biotechno cash on  
the way to Swiss with your GSM phone - are you paranoid enough?  
  
`