Lucene search
K

bitchx-dns-oddities.txt

🗓️ 17 Aug 1999 00:00:00Reported by Packet StormType 
packetstorm
 packetstorm
🔗 packetstormsecurity.com👁 32 Views

Bug in ircd affects 63-character hostnames, causing username and host mask stripping in BitchX.

Code
`--- PREFACE ---  
  
About month ago, I found interesting problem with ircd up to 2.9.5 (I  
haven't newer versions). This bug (?) partially affects irc clients,  
including nice NULL-pointer fault in BitchX-74p4 (latest release)...  
But, let's start from the beginning:  
  
RFC 1035, "DOMAIN NAMES - IMPLEMENTATION AND SPECIFICATION":  
  
[...]  
The labels must follow the rules for ARPANET host names. They must  
start with a letter, end with a letter or digit, and have as interior  
characters only letters, digits, and hyphen. There are also some  
restrictions on the length. Labels must be 63 characters or less.  
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^  
  
The same sentence can be found in RFC 1034, "DOMAIN NAMES - CONCEPTS AND  
FACILITIES", and, in fact, 63 characters are host name limit for modern  
systems. Unfortunately, ircd is 'not quite' able to handle 63-characters  
long hostname.  
  
-- IRCD IMPACT --  
  
You need access to your domain name server to create 63-chars long host  
name. Please, check twice if it's extactly 63-chars long, including dots  
abnd domain name. NOTE: Setting an alias for your machine won't work. You  
should modify primary host name.  
  
Now, propagation of your new host name could take a longer period of time  
(usually less than one week) - of course if you're testing ircd outside  
your own domain.  
  
When everything is done, you can try to enter IRC from prepared machine.  
You'll notice something really funny - ircd crops your real name, hostname  
and ident! Typical '/whois nick' should return something like that:  
  
/whois lcamtuf  
*** on irc via server genome.ml.org (Genome IRC Server)  
*** lcamtuf has been idle 26 seconds  
  
Username and host mask has been stripped by ircd! Pretty nice bug. But  
(of course!) that's not all. Other irc users can't guess who are you, ban  
you from their channel, nor do anything else, because there's no way to  
obtain required informations about your connection. Even /who #channel  
returns just a nice junk instead of useful data ('never named...' is my  
REALNAME):  
  
#test H@ 0 never@named... (~lcamtuf genome.ml.org lcamtuf )  
  
And now, the game begins...  
  
-- BITCHX IMPACT --  
  
That's probably the most interesting thing. When my test session joined  
channel, BitchX (popular irc client by panasync) left irc with  
following message from ircd:  
  
*** Signoff: lcamtuf (Read error to lcamtuf[]: EOF from client)  
  
But what happened? That's how it looks from BitchX client's side (gdb  
output):  
  
Program received signal SIGSEGV, Segmentation fault.  
0x80d2a16 in find_bestmatch ()  
  
Useful stack info:  
  
(gdb) info stack  
#0 0x80d2a16 in find_bestmatch ()  
#1 0x80d5167 in lookup_userlevelc ()  
#2 0x80b55af in add_to_channel ()  
#3 0x80c3893 in whoreply ()  
#4 0x80c571f in parse_server ()  
#5 0x80ca8c9 in do_server ()  
#6 0x80a584f in io ()  
#7 0x80a5492 in get_line ()  
#8 0x80a5ca7 in main ()  
  
Hmm, I'm guessing BitchX dies due to the NULL-pointer when trying to  
determine my host name (and user level).  
  
-- VUNERABLE PLATFORMS --  
  
I tested it only on Linux in my local network, because I have no access to  
other nameservers, but it seems to be reproductable.  
  
-- FIX --  
  
Nope yet (?).  
  
_______________________________________________________________________  
Michal Zalewski [[email protected]] <= finger for pub PGP key  
Iterowac jest rzecza ludzka, wykonywac rekursywnie - boska [P. Deutsch]  
[echo "\$0&\$0">_;chmod +x _;./_] <=------=> [tel +48 (0) 22 813 25 86]  
`

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

17 Aug 1999 00:00Current
7.4High risk
Vulners AI Score7.4
32