unreal-dos.txt

`/* MaD SKiLL 'H'  
* yay, it's us!  
*  
* Visit our website at http://www.madskill.tk for more info  
* about us.  
*  
* Topic: Serious flaws in Unreal IRCd => 3.1.1  
* Vulnerabilities found by Zombie  
*  
* Shouts go to: MsH(!), DFA, IceDragon, Key (for his kickass  
* network), r0ut3r  
*  
* This article (security advisory) was written by skyrim  
* 19:55 24-6-02  
*/  
  
Serious flaw in Unreal IRCd => 3.1.1 - Denial of Service  
====================================  
Vulnerable: UnrealIRCd => v3.1.1  
Tested on : UnrealIRCd v3.1.1, v3.1.2, v3.1.3  
  
Unreal IRCd, one of the most popular IRCd's for UNIX systems,  
contains serious security vulnerabilities. The one we're  
discussing at the moment, involves the server linking. We will  
take a quick look at how the Unreal IRCd linking protocol works:  
  
PASS <link password>  
SERVER <server name> 1 <description>  
  
When a server logs into another server, for linking, this is what  
it sends. The problem does not lie in the login however. When we  
open a connection to one of the servers itself using a raw socket,  
we can add additional commands. We introduce ourself as a server  
using the protocol above, and after we are logged in succesfully,  
we are given the ability to perform different commands. Now, there  
is a method which could let the server we connected to crash, when  
sending the string:  
  
JOIN #!  
  
Okay, so what happens? We tried to let the server join this  
channel itself, but Unreal IRCd doesn't seem to like things such  
as this and the program returns a segmentation fault. At this  
way, any operator with access to OperServ (That is, when  
services are enabled ofcourse) could get the server which links  
the services, down. An example of how is displayed below:  
  
/operserv RAW JOIN #!  
  
Note that #! could be any value, the bug is in the JOIN command.  
  
Now, in general this vulnerability wouldn't harm a network that  
quick, unless IRC operators are malicious and corrupt users: This  
will be very uncommon ofcourse, since the dear network owners  
choose their operators very carefully ;). Also faking network links is a  
possibility. Our own advise at the moment is to use encrypted links,  
which couldn't be faked; Unless you fully change your IRCd, ofcourse.  
  
Another flaw in ALL Unreal IRCd versions - Party time!  
========================================  
Vulnerable: All Unreal IRCd servers with /SVSNICK enabled  
Tested on : UnrealIRCd v3.1.1, v3.1.2, v3.1.3  
  
Another flaw was found in Unreal IRCd, giving IRC ops the possibility  
to manipulate their nicks using /svsnick. The /svsnick command is used  
by opers for changing nicknames of users, using this procedure:  
  
SVSNICK <nick> <newnick> :<timestamp>  
  
This command does not check for unallowed characters such as the  
character "", (alt+3), which is used by many IRC clients such as mIRC  
for coloring. So using this command opers could give their nicks a bit  
coloring, using something like:  
  
/svsnick skyrim 12s2k12y2r12i2m :1024940702  
  
Although, if the server is linked to a network, the fun won't last long.  
Since SVSNICK is only locally not checked, other servers receiving the  
message of such a nick and which DO check the nicks, would kill the user  
for using malicious characters. As you can see, not really a bug, it's  
more just for fun.  
  
MaD SKiLL 'H'  
http://www.madskill.tk  
  
  
_________________________________________________________________  
Get your FREE download of MSN Explorer at http://explorer.msn.com/intl.asp.  
  
`