/* MaD SKiLL 'H'
* yay, it's us!
*
* Visit our website at http://www.madskill.tk for more info
* about us.
*
* Topic: Serious flaws in Unreal IRCd => 3.1.1
* Vulnerabilities found by Zombie
*
* Shouts go to: MsH(!), DFA, IceDragon, Key (for his kickass
* network), r0ut3r
*
* This article (security advisory) was written by skyrim
* 19:55 24-6-02
*/

Serious flaw in Unreal IRCd => 3.1.1 - Denial of Service
====================================
Vulnerable: UnrealIRCd => v3.1.1
Tested on : UnrealIRCd v3.1.1, v3.1.2, v3.1.3

Unreal IRCd, one of the most popular IRCd's for UNIX systems,
contains serious security vulnerabilities. The one we're
discussing at the moment, involves the server linking. We will
take a quick look at how the Unreal IRCd linking protocol works:

PASS <link password>
SERVER <server name> 1 <description>

When a server logs into another server, for linking, this is what
it sends. The problem does not lie in the login however. When we
open a connection to one of the servers itself using a raw socket,
we can add additional commands. We introduce ourself as a server
using the protocol above, and after we are logged in succesfully,
we are given the ability to perform different commands. Now, there
is a method which could let the server we connected to crash, when
sending the string:

JOIN #!

Okay, so what happens? We tried to let the server join this
channel itself, but Unreal IRCd doesn't seem to like things such
as this and the program returns a segmentation fault. At this
way, any operator with access to OperServ (That is, when
services are enabled ofcourse) could get the server which links
the services, down. An example of how is displayed below:

/operserv RAW JOIN #!

Note that #! could be any value, the bug is in the JOIN command.

Now, in general this vulnerability wouldn't harm a network that
quick, unless IRC operators are malicious and corrupt users: This
will be very uncommon ofcourse, since the dear network owners
choose their operators very carefully ;). Also faking network links is a
possibility. Our own advise at the moment is to use encrypted links,
which couldn't be faked; Unless you fully change your IRCd, ofcourse.

Another flaw in ALL Unreal IRCd versions - Party time!
========================================
Vulnerable: All Unreal IRCd servers with /SVSNICK enabled
Tested on : UnrealIRCd v3.1.1, v3.1.2, v3.1.3

Another flaw was found in Unreal IRCd, giving IRC ops the possibility
to manipulate their nicks using /svsnick. The /svsnick command is used
by opers for changing nicknames of users, using this procedure:

SVSNICK <nick> <newnick> :<timestamp>

This command does not check for unallowed characters such as the
character "", (alt+3), which is used by many IRC clients such as mIRC
for coloring. So using this command opers could give their nicks a bit
coloring, using something like:

/svsnick skyrim 12s2k12y2r12i2m :1024940702

Although, if the server is linked to a network, the fun won't last long.
Since SVSNICK is only locally not checked, other servers receiving the
message of such a nick and which DO check the nicks, would kill the user
for using malicious characters. As you can see, not really a bug, it's
more just for fun.

MaD SKiLL 'H'
http://www.madskill.tk


_________________________________________________________________
Get your FREE download of MSN Explorer at http://explorer.msn.com/intl.asp.