The FPSC-IRCD.txt advisory. --------------------------- By: syg of the FPSC @3/7/98 ircd@FPSC.hemp.net http://FPSC.hemp.net Program affected: IRCD Versions affected: All hybrid and other EFnet IRCD versions. Probably others. Problem: According to the date of this file, thier is a few bugs in hybrid IRCD and maybe others. I've checked DALnet's source and it seems thiers is fixed and not affected. The bug is in match.c of the source code and starts on line 204 at 'tolowertab[]'. Note the line that consists of the following: "'t', 'u', 'v', 'w', 'x', 'y', 'z', '{', '|', '}', '~',". Then go to line 238 in match.c to 'touppertab[]'. Note the line that reads: "'T', 'U', 'V', 'W', 'X', 'Y', 'Z', '[', '\\', ']', '^'," and look at the two lines. If you notice, it takes the '{' char and defines its uppercase char as '[' as along with defining '|' to '\', '}' to ']', and '~' to '^'. What this means is thier the same characters in channel names and nicknames. Now what can you do with this in such a way it would be a problem? You can spy on channels that consist of any one of those 8 characters below: 1) { --Defined as LowerCase [ 2) [ --Defined as UpperCase { 3) } --Defined as LowerCase ] 4) ] --Defined as UpperCase } 5) | --Defined as LowerCase \ 6) \ --Defined as UpperCase | 7) ~ --Defined as LowerCase ^ 8) ^ --Defined as UpperCase ~ This problem and mIRC make a dangerous combination. Lets say a bunch of your friends hang in #mIRC] and you run BitchX. All you have to do is join #mIRC} and thier mIRC clients wont see you join the channel which means you are a ghost and therefore are invisible. Another example would be... two people are in #Love^2 and you ran BitchX. All you would have to do is join #Love~2 and they wont see you join, therefore you can spy on thier conversation all night long. Now if one of the mIRC people happened to type "/names #mIRC]" or "/names #Love^2" you would magically pop up in the nick list of the channel. That is also the same if someone joins the channel after you have joined, you will show up in thier names list therefore it will put you in thier nick list in the channel window. Be creative and have fun. Logs: The "->->->" is me telling you whats going on. ->->-> In mIRC I typed /join #[ with the nick mIRC-1 *** Now talking in #[ ->->-> No one is in the channel but me in the nick list. ->->-> Then I looked in my status window and got the join info. #[ @mIRC-1 #[ End of /NAMES list. #[ created on Thu Feb 25 14:13:45 ->->-> Then in another mIRC client I typed /join #{ with the nick mIRC-2 *** Now talking in #{ ->->-> No one is in the channel but me in the nick list. ->->-> Then I looked in my status window and got the join info. #[ mIRC-2 @mIRC-1 #{ End of /NAMES list. #[ + #[ created on Thu Feb 25 14:13:45 ->->-> NOTE: I can't see mIRC-1 in the nick list in the channel. ->->-> I also can't see mIRC-2 in mIRC-1's nick list. ->->-> So basically it's like two different channels when you are in mIRC. ->->-> Let's now bring bitchX into play... ->->-> In BitchX under the nick BitchX-1 i typed /join #[ BitchX-1 [test@FPSC.hemp.net] has joined #[ [Users(#[:3)] [ BitchX-1 ] [ mIRC-2 ] [@mIRC-1 ] Channel #[ was created at Thu Feb 25 14:13:45 1999 BitchX: Join to #[ was synced in 0.391 secs! ->->-> Now under mIRC-1's client I saw... *** BitchX-1 (test@FPSC.hemp.net) has joined #[ ->->-> Which I should have because we are both in #[ ->->-> But on the other hand, under mIRC-2's client( The one in #{ )... ->->-> I didn't see BitchX-1 join. ->->-> And as you can see, BitchX-1 see's mIRC-2 in the channel #[ ->->-> Now let me type with all three of them. ->->-> Under all three clients I will type thier nick and chan to the channel. ->->-> Under BitchX-1's client I saw all three clients talk... mIRC-1 #[ mIRC-2 #{ BitchX-1 #[ ->->-> Under mIRC-1's client I saw myself and BitchX-1 type (We are both in #[) mIRC-1 #[ BitchX-1 #[ ->->-> Under mIRC-2's client I saw myself type only ( Im in #{ ) mIRC-2 #{ ->->-> As you can see mIRC-2 is being spy'd on by the BitchX client. ->->-> End of logs. Sollution: The fix would be to simply edit /src/match.c of the source code. DALnet seems to have a nice match.c at ftp.dal.net in df467.tgz if you EFnet staff need any ideas. We all hope to see this fixed in your next release of hybrid. Final Notes: IRCD coders and staff members of all networks and all IRCD versions need to check your source for this bug and fix it before it gets abused... maybe it was you in #^locals^ giving your phone number out to a friend which was being spy'd on by another local enemy. Other than that, everyone keep up the good work and so long. Also, thanks to sate for helping me test this out. Questions/jobs/info/etc: ircd@FPSC.hemp.net -syg ----------------------------------------------------------------------------------- Date: Tue, 9 Mar 1999 19:01:57 +0000 From: Bjarni R. Einarsson To: BUGTRAQ@netspace.org Subject: Re: The FPSC-IRCD.txt advisory On 1999-03-07, 16:20:59 (-0800), syg FPSC wrote: > > lines. If you notice, it takes the '{' char and defines its uppercase char as > '[' as along with defining '|' to '\', '}' to ']', and '~' to '^'. What this > means is thier the same characters in channel names and nicknames. In RFC1459 chapter 2.2 says: Because of IRC's scandanavian origin, the characters {}| are considered to be the lower case equivalents of the characters []\, respectively. So, what we have here is 75% a mIRC bug, not an IRCD bug. I say 75% because the RFC doesn't mention '~' and '^', which probably shouldn't be considered equivalent by the server. Did you (the authors of this advisory) bother to notify the maintainers of these IRC servers and mIRC in particulaur? (if RFC1459 has been superceded, just ignore me - but it hasn't, has it?) > Final Notes: > IRCD coders and staff members of all networks and all IRCD versions need > to check your source for this bug and fix it before it gets abused... maybe it IRC coders and staff members using mIRC deserve what they get. :-) Happily, the original advisory contained a work-around: use BitchX, ircII or some other properly implemented client. -- Bjarni R. Einarsson [ PGP: 02764305 / B7A3AB89 ] bre@netverjar.is -=- http://www.mmedia.is/~bre/ -=- Juggler@IRCnet * http://www.europarl.eu.int/dg4/stoa/en/publi/166499/execsum.htm * Encrypt the covert narcotics, launder nuclear biotechno cash on the way to Swiss with your GSM phone - are you paranoid enough?