[IRCServices] unhappy restart quirks with 5.0.10 (was 5.0.9)

Andrew Church achurch at achurch.org
Sun Feb 23 09:45:50 PST 2003


>Now the obvious corollary question: with a single unlinked server running
>Unreal 3.2 with IRCServices U:lined in - are there any security issues
>raised by disabling NoSplitRecovery?  I.e. there any way a malicious
>client could fake a timestamp during an /msg operserv restart to steal
>somebody's nick privileges?

     Zero (for all practical purposes) under Unreal.  From the source code
(modules/nickserv/util.c):

	/*
	 * This can be exploited to gain improper privilege if an attacker
	 * has the same Services stamp, username and hostname as the
	 * victim.
	 *
	 * Under ircd.dal 4.4.15+ (Dreamforge) and other servers supporting
	 * a Services stamp, Services guarantees that the first condition
	 * cannot occur unless the stamp counter rolls over (2^31-1 client
	 * connections).  This is practically infeasible given present
	 * technology.  As an example, on a network of 30 servers, an
	 * attack introducing 50 new clients every second on every server,
	 * requiring at least 10-15 megabits of bandwidth, would need to be
	 * sustained for over 16 days to cause the stamp to roll over.
	 *
	 * Under other servers, an attack is theoretically possible, but
	 * would require access to either the computer the victim is using
	 * for IRC or the DNS servers for the victim's domain and IP
	 * address range in order to have the same hostname, and would
	 * require that the attacker connect so that he has the same server
	 * timestamp as the victim.  Practically, the former can be
	 * accomplished either by finding a victim who uses a shell account
	 * on a multiuser system and obtaining an account on the same
	 * system, or through the scripting capabilities of many IRC
	 * clients combined with social engineering; the latter could be
	 * accomplished by finding a server with a clock slower than that
	 * of the victim's server and timing the connection attempt
	 * properly.
	 *
	 * If someone gets a hacked server into your network, all bets are
	 * off.
	 */


  --Andrew Church
    achurch at achurch.org
    http://achurch.org/