[IRCServices] /ns ghost exploit

Mark Hetherington mark at ctcp.net
Thu Mar 14 12:27:01 PST 2002 

> Andrew Church wrote
>      Services does not use SVSKILL in the first place, 

Sorry, my mistake. I meant Services will issue a kill for that user.

> and 
> does not allow
> GHOST anyway without a password unless the calling user is on 
> the access
> list of the target nick _and_ the nick does not have the 
> SECURE option set.

I know this. It still does not prevent a user using services to kill 
another user just because they happen to use their nickname.

Nick A register A and also registers or links B, C, D, E.

A new user connects using nick B and would get the usual warning from 
services. However, before they have the opportunity to choose a new 
nickname, A who is identified and has the password for B issues /ns ghost B 
password either manually or from a script which kills that user from the 
network. I didn't highlight a problem with the way services checks a users 
right to issue the command, merely in the way that the command is open to 
abuse. 

> Have you modified Services?

No. 

Mark.

> 
>   --Andrew Church
>     achurch at achurch.org
>     http://achurch.org/
> 
> >Something I recently became aware of was users "abusing" the 
> ghost command. 
> >
> >When the ghost command is issued, Services will SVSKILL the 
> user from the 
> >network. However, the new trend appears to be setting up a 
> notify script, 
> >which will automatically ghost any user trying to use a 
> given nickname. 
> >This quickly became popular. How this came to my attention 
> is that a new 
> >user was trying to access the network but was repeatedly 
> killed by the 
> >ghost command. 
> >
> >Use of "kill immediate" should be sufficient for those users 
> who do not 
> >want people using their nicknames and can be handled by 
> services with a 
> >nick change so I do not see use of the command in this manner as 
> >beneficial. 
> >
> >One way to remove this exploit which seems the least complex 
> to actually 
> >manage is to only trigger the ghost if the target is 
> currently identified. 
> >
> >This would mean that in the event a user got disconnected 
> before they were 
> >able to identify, they would be unable to remove a real 'ghost' on 
> >reconnect with the ghost command, but they could use 'recover' 
> >and 'release' instead. I believe that the 'recover' will 
> "guest" a user 
> >where NSForceNickChange is enabled.
> >
> >-- 
> >Mark.

-- 
Mark.