[IRCServices] Bug: Kick/ban loops
Andy Li
andycandy212 at gmail.com
Sat Aug 11 19:41:35 PDT 2007
I was playing around with an irc server and I found 2 ways to place a
user in a kickban loop:
1) placing +e ban exceptions using the extban type ~c:#channel, where
it is supported, on ircds such as Unreal.
example:
* Me sets mode: +e ~c:#otherchan
* ChanServ sets mode: +b *!*@localhost
* Test was kicked by ChanServ (AKICK by Me (User has been banned from
the channel))
* Test (adfy at hmm-FC8857E1) has joined #chan
* Test was kicked by ChanServ (AKICK by Me (User has been banned from
the channel))
* Test (adfy at hmm-FC8857E1) has joined #chan
* Test was kicked by ChanServ (AKICK by Me (User has been banned from
the channel))
etc.
My suggestion: match ~c: extbans against all channels that a user is
on before they are kicked
2) Joining a forbidden/suspended channel and then setting an +e
exception quickly by either sending the 2 commands into the same
packet so that they are processed before services can kick them, or
sending the 2 cmds quickly enough so that the lag between services/the
network makes services unable to kick the user before he does it,
either with an mirc script or some other script. This could be done
by:
a program, eg send_cmd ("JOIN #somechan\nMODE #somechan +e *!*@*");
or typing //raw join #chan $crlf mode #chan +e *!*@* in mirc.
eg:
-> Server: join #test \n mode #test +e *!*@*
* Now talking in #test
* Test sets mode: +e *!*@*
* ChanServ (services at services.hi2u.net) has joined #test
* ChanServ sets mode: +b *!*@*
* You were kicked by ChanServ (This channel may not be used.)
* Attempting to rejoin channel #test
* You were kicked by ChanServ (This channel may not be used.)
* Attempting to rejoin channel #test
etc.
This could be solved by checking for matching excepts before kicking a
user from a forbidden chan, or enabling ChanServ to stay permenantly
inside a forbidden/susp'd chan until it is usable again with
CSInhabit.
These two methods can be easily used to harass or flood other users
off of irc, and, if done on a large enough scale, crash services
and/or the network.
A warning should also be placed in the manual warning people who add
extbans to their ircd to also enable proper checking in the services.