100265 2003-05-02 17:15 /64 rader/ Intel Nop <0x90@invisiblenet.net>
Importerad: 2003-05-02 17:15 av Brevbäraren
Extern mottagare: bugtraq@securityfocus.com
Mottagare: Bugtraq (import) <4746>
Ärende: Dynamic DNS "Spoofing" & IRC
------------------------------------------------------------
This is a trivial "feature/flaw" I've been holding onto for a bit,
and it's probably commonly known, but I haven't seen it posted
anywhere, more of a neat little thing in taking advantage of IRC and
it's treatment of dyndns within DNS if reverse lookup is possible.
IRC (Internet Relay Chat) servers being a common ground for chat,
have some annoyances such as the username@ipaddress or
username@domainname, some people don't like that etc, being that they
have to use a bouncer to avoid showing their own ip address or
hostname to other users if they want to maintain some sort of privacy.
Well here's a pseudo-privacy trick that can be reasonably easy to
perform given one has control of a dns server that performs reverse
and forward lookups, support for dyndns scripts, and a domain-name
registered to you. You can optionally use a bouncer if you want.
In my example, I will use the host name spooftest.domain.com, a port
forwarding tool, a zoneedit account with my dyndns script that
forward resolves, and a friend's server (he/she runs an isp) that
allows for me to have an PTR record to the ip address "10.1.1.1" (<--
this is a private address for demo purposes) on his server as
spooftest.domain.com
Step 1) I have zoneedit script set up to tell it that my dyndns
address is to spooftest.domain.com is 10.1.1.1, which it updates
immediately and the 10.1.1.1 server has PTR record for 10.1.1.1 as
spooftest.domain.com (thus allowing reverse and forward lookup of
spooftest.domain.com) My portforward (say we're using datapipe.c on
the 10.1.1.1 box) settings are datapipe 10.1.1.1 6667
irc.whateverserver.net 6667
Step 2) Log into irc server on your local machine by doing a /server
spooftest.domain.com 6667, make sure the irc server has resolved you
as username@spooftest.domain.com
Step 3) Run your dyndns script for zoneedit to assign your ip address
as whatever ip you want (in this case I'll use 127.0.0.1), then wait
about a minute before joining a channel.
By this time, your dyndns should have updated and changed your ip
address to 127.0.0.1, and irc servers don't re-check after you've
connected (so anyone resolving your hostname will come up with
127.0.0.1).
I don't know if this is categorized as a flaw in dns or irc, or just
merely exploiting a feature, and this is a rather trivial trick
(surely can't be original and I apologize if it's been posted before).
A fix I think would have ircd recheck after a certain amount of time
for resolving properties of their dns, and I was going to say dnssec,
but I can't really see that fixing the problem unless ircd re-checks
as well there.
This "feature/flaw" could probably apply to other application
protocols as well that do not recheck dns properties, but I haven't
taken the time to come up for other practical uses for it.
This has been tested on most ircd server versions and all so far are
victim to this "hack".
0x90
www.invisiblenet.net
(100265) /Intel Nop <0x90@invisiblenet.net>/(Ombruten)
Kommentar i text 100292 av Markus Kovero <muikku@muikkuverkko.net>
Kommentar i text 100298 av c4 <c4@jolt.nu>
Kommentar i text 100307 av Niels Bakker <niels=bugtraq@bakker.net>
Kommentar i text 100308 av Thomas Wouters <meeling@xhoy.nl>
Kommentar i text 100336 av Darren Reed <avalon@caligula.anu.edu.au>
100292 2003-05-02 22:05 /79 rader/ Markus Kovero <muikku@muikkuverkko.net>
Importerad: 2003-05-02 22:05 av Brevbäraren
Extern mottagare: Intel Nop <0x90@invisiblenet.net>
Mottagare: Bugtraq (import) <4757>
Kommentar till text 100265 av Intel Nop <0x90@invisiblenet.net>
Ärende: Re: Dynamic DNS "Spoofing" & IRC
------------------------------------------------------------
We have in Darkmyst ( http://www.darkmyst.org ) this thing called
hostname verification or smthin:
21:36 [nla] !xx.xx.xx.darkmyst.org *** Notice -- IP# Mismatch:
24.xxx.177.xxx != wv-xxx-ubr-b-xxx-196-xxx-130.charterwv.net[82b19f18]
Don't know exactly how it works, probably kills user with fake
hostname. We're using somekind modified darkhex ircd atm and we're
coding new one which is in beta-stage now.
cheers and happy "vappu"-holidays; Markus Kovero
On Thu, 1 May 2003, Intel Nop wrote:
> This is a trivial "feature/flaw" I've been holding onto for a bit, and it's
> probably commonly known, but I haven't seen it posted anywhere, more of a
> neat little thing in taking advantage of IRC and it's treatment of dyndns
> within DNS if reverse lookup is possible.
>
> IRC (Internet Relay Chat) servers being a common ground for chat, have some
> annoyances such as the username@ipaddress or username@domainname, some
> people don't like that etc, being that they have to use a bouncer to avoid
> showing their own ip address or hostname to other users if they want to
> maintain some sort of privacy.
>
> Well here's a pseudo-privacy trick that can be reasonably easy to perform
> given one has control of a dns server that performs reverse and forward
> lookups, support for dyndns scripts, and a domain-name registered to you.
> You can optionally use a bouncer if you want.
>
> In my example, I will use the host name spooftest.domain.com, a port
> forwarding tool, a zoneedit account with my dyndns script that forward
> resolves, and a friend's server (he/she runs an isp) that allows for me to
> have an PTR record to the ip address "10.1.1.1" (<-- this is a private
> address for demo purposes) on his server as spooftest.domain.com
>
> Step 1) I have zoneedit script set up to tell it that my dyndns address is
> to spooftest.domain.com is 10.1.1.1, which it updates immediately and the
> 10.1.1.1 server has PTR record for 10.1.1.1 as spooftest.domain.com (thus
> allowing reverse and forward lookup of spooftest.domain.com)
> My portforward (say we're using datapipe.c on the 10.1.1.1 box)
> settings are datapipe 10.1.1.1 6667 irc.whateverserver.net 6667
>
> Step 2) Log into irc server on your local machine by doing a /server
> spooftest.domain.com 6667, make sure the irc server has resolved you as
> username@spooftest.domain.com
>
> Step 3) Run your dyndns script for zoneedit to assign your ip address as
> whatever ip you want (in this case I'll use 127.0.0.1), then wait about a
> minute before joining a channel.
>
> By this time, your dyndns should have updated and changed your ip address to
> 127.0.0.1, and irc servers don't re-check after you've connected (so anyone
> resolving your hostname will come up with 127.0.0.1).
>
> I don't know if this is categorized as a flaw in dns or irc, or just merely
> exploiting a feature, and this is a rather trivial trick (surely can't be
> original and I apologize if it's been posted before).
>
> A fix I think would have ircd recheck after a certain amount of time for
> resolving properties of their dns, and I was going to say dnssec, but I
> can't really see that fixing the problem unless ircd re-checks as well
> there.
>
> This "feature/flaw" could probably apply to other application protocols as
> well that do not recheck dns properties, but I haven't taken the time to
> come up for other practical uses for it.
>
> This has been tested on most ircd server versions and all so far are victim
> to this "hack".
>
> 0x90
> www.invisiblenet.net
>
>
>
>
(100292) /Markus Kovero <muikku@muikkuverkko.net>/(Ombruten)
100298 2003-05-02 22:30 /73 rader/ c4 <c4@jolt.nu>
Importerad: 2003-05-02 22:30 av Brevbäraren
Extern mottagare: bugtraq@securityfocus.com
Mottagare: Bugtraq (import) <4760>
Kommentar till text 100265 av Intel Nop <0x90@invisiblenet.net>
Ärende: Re: Dynamic DNS "Spoofing" & IRC
------------------------------------------------------------
Well you dont even have to have dyndns... just control over the over
the domain is sufficient. Just connect and change the dns
afterwards...
This dosn't have anything to do with dns & irc really... it just
utilizes the fact that your ircclient performs a dns check seperatly.
The problem with rechecking dns is that for a pretty large network
such as ircnet or efnet it would take some resources to do this
check, thus allowing a denial attack being made more easily against
one server.
At 23:47 2003-05-01, you wrote:
>This is a trivial "feature/flaw" I've been holding onto for a bit, and it's
>probably commonly known, but I haven't seen it posted anywhere, more of a
>neat little thing in taking advantage of IRC and it's treatment of dyndns
>within DNS if reverse lookup is possible.
>
>IRC (Internet Relay Chat) servers being a common ground for chat, have some
>annoyances such as the username@ipaddress or username@domainname, some
>people don't like that etc, being that they have to use a bouncer to avoid
>showing their own ip address or hostname to other users if they want to
>maintain some sort of privacy.
>
>Well here's a pseudo-privacy trick that can be reasonably easy to perform
>given one has control of a dns server that performs reverse and forward
>lookups, support for dyndns scripts, and a domain-name registered to you.
>You can optionally use a bouncer if you want.
>
>In my example, I will use the host name spooftest.domain.com, a port
>forwarding tool, a zoneedit account with my dyndns script that forward
>resolves, and a friend's server (he/she runs an isp) that allows for me to
>have an PTR record to the ip address "10.1.1.1" (<-- this is a private
>address for demo purposes) on his server as spooftest.domain.com
>
>Step 1) I have zoneedit script set up to tell it that my dyndns address is
>to spooftest.domain.com is 10.1.1.1, which it updates immediately and the
>10.1.1.1 server has PTR record for 10.1.1.1 as spooftest.domain.com (thus
>allowing reverse and forward lookup of spooftest.domain.com)
>My portforward (say we're using datapipe.c on the 10.1.1.1 box)
>settings are datapipe 10.1.1.1 6667 irc.whateverserver.net 6667
>
>Step 2) Log into irc server on your local machine by doing a /server
>spooftest.domain.com 6667, make sure the irc server has resolved you as
>username@spooftest.domain.com
>
>Step 3) Run your dyndns script for zoneedit to assign your ip address as
>whatever ip you want (in this case I'll use 127.0.0.1), then wait about a
>minute before joining a channel.
>
>By this time, your dyndns should have updated and changed your ip address to
>127.0.0.1, and irc servers don't re-check after you've connected (so anyone
>resolving your hostname will come up with 127.0.0.1).
>
>I don't know if this is categorized as a flaw in dns or irc, or just merely
>exploiting a feature, and this is a rather trivial trick (surely can't be
>original and I apologize if it's been posted before).
>
>A fix I think would have ircd recheck after a certain amount of time for
>resolving properties of their dns, and I was going to say dnssec, but I
>can't really see that fixing the problem unless ircd re-checks as well
>there.
>
>This "feature/flaw" could probably apply to other application protocols as
>well that do not recheck dns properties, but I haven't taken the time to
>come up for other practical uses for it.
>
>This has been tested on most ircd server versions and all so far are victim
>to this "hack".
>
>0x90
>www.invisiblenet.net
(100298) /c4 <c4@jolt.nu>/----------------(Ombruten)
100307 2003-05-02 23:02 /24 rader/ Niels Bakker <niels=bugtraq@bakker.net>
Importerad: 2003-05-02 23:02 av Brevbäraren
Extern mottagare: Intel Nop <0x90@invisiblenet.net>
Mottagare: Bugtraq (import) <4767>
Kommentar till text 100265 av Intel Nop <0x90@invisiblenet.net>
Ärende: Re: Dynamic DNS "Spoofing" & IRC
------------------------------------------------------------
* 0x90@invisiblenet.net (Intel Nop) [Fri 02 May 2003, 17:10 CEST]:
> This is a trivial "feature/flaw" I've been holding onto for a bit, and it's
> probably commonly known, but I haven't seen it posted anywhere, more of a
> neat little thing in taking advantage of IRC and it's treatment of dyndns
> within DNS if reverse lookup is possible.
[..]
> By this time, your dyndns should have updated and changed your ip address to
> 127.0.0.1, and irc servers don't re-check after you've connected (so anyone
> resolving your hostname will come up with 127.0.0.1).
You can retrieve the IP address of any user on irc via the STATS L
command (the uppercase L is important).
For privacy reasons some networks (most notably Undernet but also
Freenode) have disabled this command for users that do not have IRC
Operator status.
-- Niels.
--
Note: some countries impose serious penalties for a conspiracy to overthrow
the political system. THIS DOES NOT FIX THE VULNERABILITY.
(100307) /Niels Bakker <niels=bugtraq@bakker.net>/--
100308 2003-05-02 23:09 /33 rader/ Thomas Wouters <meeling@xhoy.nl>
Importerad: 2003-05-02 23:09 av Brevbäraren
Extern mottagare: Intel Nop <0x90@invisiblenet.net>
Extern mottagare: bugtraq@securityfocus.com
Mottagare: Bugtraq (import) <4768>
Kommentar till text 100265 av Intel Nop <0x90@invisiblenet.net>
Ärende: Re: Dynamic DNS "Spoofing" & IRC
------------------------------------------------------------
this would mean if you get disconected from the irc server and
reconed you would not have any reverse at all, so the 'real' hack
isn't there your just 'abuseing' the fact that ircd's dont lookup the
hosts while your are connected
like almoste every deamon does (like sshd/apache enz)
-- Thomas
----- Original Message -----
From: "Intel Nop" <0x90@invisiblenet.net>
To: <bugtraq@securityfocus.com>
Sent: Thursday, May 01, 2003 11:47 PM
Subject: Dynamic DNS "Spoofing" & IRC
> Step 3) Run your dyndns script for zoneedit to assign your ip address as
> whatever ip you want (in this case I'll use 127.0.0.1), then wait about a
> minute before joining a channel.
>
--------
Thomas Wouters - xhoy
e-mail: Thomas@xhoy.nl
IRC: IRCnet - #IceBox & #ne2000 | EFnet - #IceBox
* ne2000 - Press Any Key To Continue | http://www.ne2000.nl *
* IceBox - SLUT partner | http://slut.icebox.nl *
--------
(100308) /Thomas Wouters <meeling@xhoy.nl>/(Ombruten)
100336 2003-05-03 23:00 /41 rader/ Darren Reed <avalon@caligula.anu.edu.au>
Importerad: 2003-05-03 23:00 av Brevbäraren
Extern mottagare: Intel Nop <0x90@invisiblenet.net>
Mottagare: Bugtraq (import) <4773>
Kommentar till text 100265 av Intel Nop <0x90@invisiblenet.net>
Ärende: Re: Dynamic DNS "Spoofing" & IRC
------------------------------------------------------------
In some mail from Intel Nop, sie said:
>
> This is a trivial "feature/flaw" I've been holding onto for a bit, and it's
> probably commonly known, but I haven't seen it posted anywhere, more of a
> neat little thing in taking advantage of IRC and it's treatment of dyndns
> within DNS if reverse lookup is possible.
>
> IRC (Internet Relay Chat) servers being a common ground for chat, have some
> annoyances such as the username@ipaddress or username@domainname, some
> people don't like that etc, being that they have to use a bouncer to avoid
> showing their own ip address or hostname to other users if they want to
> maintain some sort of privacy.
Bah! Why do people still expect to have any sort of privacy ?!
Haven't you all gotten over it yet and realised that anyone can
know anything and everything about your life if they have enough $$ ?!
Privacy is such a 20th century concept, get with the times!
Oh, and btw, revealing user@hostname was quite a deliberate design
decision that was debated many times (and probably still is.)
IRC is meant to be a means for communicating with people and when
you're communicating with someone you generally want to know
something about them. Revealing user@hostname was not ever
considered to be a privacy risk and you might argue is no different
to CLID. I for one refuse to answer the phone if I cannot see who
the other party is that is calling me because it is generally
considered good etiquette to let someone know who you are when
calling. Revealing more information also serves as something of a
disincentive towards anti-social behaviour and before you say "but if
someone wants to be, they can use methods like that posted to hide",
history shows that for most it is either too difficult or too much
trouble for the average moron to do.
Another reply mentioned "stats L" output being useful. Well at one
point it was, but today IRC is, for better or worse, far from being
anything as egalitarian as it used to be.
Darren
(100336) /Darren Reed <avalon@caligula.anu.edu.au>/(Ombruten)