[irc.git] / software / RELEASES / ircservices / achurch.org / services / lists / ircservices / 2003 / 003597.html

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2//EN">
<HTML>
 <HEAD>
   <TITLE> [IRCServices] unhappy restart quirks with 5.0.10 (was 5.0.9)
   </TITLE>
   <LINK REL="Index" HREF="index.html" >
   <LINK REL="made" HREF="mailto:ircservices%40ircservices.za.net?Subject=%5BIRCServices%5D%20unhappy%20restart%20quirks%20with%205.0.10%20%28was%205.0.9%29&In-Reply-To=Pine.LNX.4.53L0.0302221955380.5210%40phoenix.siarch.net">
   <META NAME="robots" CONTENT="index,nofollow">
   <META http-equiv="Content-Type" content="text/html; charset=us-ascii">
   <LINK REL="Previous"  HREF="003595.html">
   <LINK REL="Next"  HREF="003596.html">
 </HEAD>
 <BODY BGCOLOR="#ffffff">
   <H1>[IRCServices] unhappy restart quirks with 5.0.10 (was 5.0.9)</H1>
    <B>Andrew Church</B> 
    <A HREF="mailto:ircservices%40ircservices.za.net?Subject=%5BIRCServices%5D%20unhappy%20restart%20quirks%20with%205.0.10%20%28was%205.0.9%29&In-Reply-To=Pine.LNX.4.53L0.0302221955380.5210%40phoenix.siarch.net"
       TITLE="[IRCServices] unhappy restart quirks with 5.0.10 (was 5.0.9)">achurch at achurch.org
       </A><BR>
    <I>Sun Feb 23 09:45:50 PST 2003</I>
    <P><UL>
        <LI>Previous message: <A HREF="003595.html">[IRCServices] unhappy restart quirks with 5.0.10 (was 5.0.9)
</A></li>
        <LI>Next message: <A HREF="003596.html">[IRCServices] Problem with v5.0.11
</A></li>
         <LI> <B>Messages sorted by:</B> 
              <a href="date.html#3597">[ date ]</a>
              <a href="thread.html#3597">[ thread ]</a>
              <a href="subject.html#3597">[ subject ]</a>
              <a href="author.html#3597">[ author ]</a>
         </LI>
       </UL>
    <HR>  
<!--beginarticle-->
<PRE>&gt;<i>Now the obvious corollary question: with a single unlinked server running
</I>&gt;<i>Unreal 3.2 with IRCServices U:lined in - are there any security issues
</I>&gt;<i>raised by disabling NoSplitRecovery?  I.e. there any way a malicious
</I>&gt;<i>client could fake a timestamp during an /msg operserv restart to steal
</I>&gt;<i>somebody's nick privileges?
</I>
     Zero (for all practical purposes) under Unreal.  From the source code
(modules/nickserv/util.c):

	/*
	 * This can be exploited to gain improper privilege if an attacker
	 * has the same Services stamp, username and hostname as the
	 * victim.
	 *
	 * Under ircd.dal 4.4.15+ (Dreamforge) and other servers supporting
	 * a Services stamp, Services guarantees that the first condition
	 * cannot occur unless the stamp counter rolls over (2^31-1 client
	 * connections).  This is practically infeasible given present
	 * technology.  As an example, on a network of 30 servers, an
	 * attack introducing 50 new clients every second on every server,
	 * requiring at least 10-15 megabits of bandwidth, would need to be
	 * sustained for over 16 days to cause the stamp to roll over.
	 *
	 * Under other servers, an attack is theoretically possible, but
	 * would require access to either the computer the victim is using
	 * for IRC or the DNS servers for the victim's domain and IP
	 * address range in order to have the same hostname, and would
	 * require that the attacker connect so that he has the same server
	 * timestamp as the victim.  Practically, the former can be
	 * accomplished either by finding a victim who uses a shell account
	 * on a multiuser system and obtaining an account on the same
	 * system, or through the scripting capabilities of many IRC
	 * clients combined with social engineering; the latter could be
	 * accomplished by finding a server with a clock slower than that
	 * of the victim's server and timing the connection attempt
	 * properly.
	 *
	 * If someone gets a hacked server into your network, all bets are
	 * off.
	 */


  --Andrew Church
    <A HREF="http://www.ircservices.za.net/mailman/listinfo/ircservices">achurch at achurch.org</A>
    <A HREF="http://achurch.org/">http://achurch.org/</A>
</PRE>

<!--endarticle-->
    <HR>
    <P><UL>
        <!--threads-->
	<LI>Previous message: <A HREF="003595.html">[IRCServices] unhappy restart quirks with 5.0.10 (was 5.0.9)
</A></li>
	<LI>Next message: <A HREF="003596.html">[IRCServices] Problem with v5.0.11
</A></li>
         <LI> <B>Messages sorted by:</B> 
              <a href="date.html#3597">[ date ]</a>
              <a href="thread.html#3597">[ thread ]</a>
              <a href="subject.html#3597">[ subject ]</a>
              <a href="author.html#3597">[ author ]</a>
         </LI>
       </UL>

</body></html>
Commit	Line	Data
3bd189cb JR	1	<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2//EN">
	2	<HTML>
	3	<HEAD>
	4	<TITLE> [IRCServices] unhappy restart quirks with 5.0.10 (was 5.0.9)
	5	</TITLE>
	6	<LINK REL="Index" HREF="index.html" >
	7	<LINK REL="made" HREF="mailto:ircservices%40ircservices.za.net?Subject=%5BIRCServices%5D%20unhappy%20restart%20quirks%20with%205.0.10%20%28was%205.0.9%29&In-Reply-To=Pine.LNX.4.53L0.0302221955380.5210%40phoenix.siarch.net">
	8	<META NAME="robots" CONTENT="index,nofollow">
	9	<META http-equiv="Content-Type" content="text/html; charset=us-ascii">
	10	<LINK REL="Previous" HREF="003595.html">
	11	<LINK REL="Next" HREF="003596.html">
	12	</HEAD>
	13	<BODY BGCOLOR="#ffffff">
	14	<H1>[IRCServices] unhappy restart quirks with 5.0.10 (was 5.0.9)</H1>
	15	<B>Andrew Church</B>
	16	<A HREF="mailto:ircservices%40ircservices.za.net?Subject=%5BIRCServices%5D%20unhappy%20restart%20quirks%20with%205.0.10%20%28was%205.0.9%29&In-Reply-To=Pine.LNX.4.53L0.0302221955380.5210%40phoenix.siarch.net"
	17	TITLE="[IRCServices] unhappy restart quirks with 5.0.10 (was 5.0.9)">achurch at achurch.org
	18	</A><BR>
	19	<I>Sun Feb 23 09:45:50 PST 2003</I>
	20	<P><UL>
	21	<LI>Previous message: <A HREF="003595.html">[IRCServices] unhappy restart quirks with 5.0.10 (was 5.0.9)
	22	</A></li>
	23	<LI>Next message: <A HREF="003596.html">[IRCServices] Problem with v5.0.11
	24	</A></li>
	25	<LI> <B>Messages sorted by:</B>
	26	<a href="date.html#3597">[ date ]</a>
	27	<a href="thread.html#3597">[ thread ]</a>
	28	<a href="subject.html#3597">[ subject ]</a>
	29	<a href="author.html#3597">[ author ]</a>
	30	</LI>
	31	</UL>
	32	<HR>
	33	<!--beginarticle-->
	34	<PRE>><i>Now the obvious corollary question: with a single unlinked server running
	35	</I>><i>Unreal 3.2 with IRCServices U:lined in - are there any security issues
	36	</I>><i>raised by disabling NoSplitRecovery? I.e. there any way a malicious
	37	</I>><i>client could fake a timestamp during an /msg operserv restart to steal
	38	</I>><i>somebody's nick privileges?
	39	</I>
	40	Zero (for all practical purposes) under Unreal. From the source code
	41	(modules/nickserv/util.c):
	42
	43	/*
	44	* This can be exploited to gain improper privilege if an attacker
	45	* has the same Services stamp, username and hostname as the
	46	* victim.
	47	*
	48	* Under ircd.dal 4.4.15+ (Dreamforge) and other servers supporting
	49	* a Services stamp, Services guarantees that the first condition
	50	* cannot occur unless the stamp counter rolls over (2^31-1 client
	51	* connections). This is practically infeasible given present
	52	* technology. As an example, on a network of 30 servers, an
	53	* attack introducing 50 new clients every second on every server,
	54	* requiring at least 10-15 megabits of bandwidth, would need to be
	55	* sustained for over 16 days to cause the stamp to roll over.
	56	*
	57	* Under other servers, an attack is theoretically possible, but
	58	* would require access to either the computer the victim is using
	59	* for IRC or the DNS servers for the victim's domain and IP
	60	* address range in order to have the same hostname, and would
	61	* require that the attacker connect so that he has the same server
	62	* timestamp as the victim. Practically, the former can be
	63	* accomplished either by finding a victim who uses a shell account
	64	* on a multiuser system and obtaining an account on the same
65	* system, or through the scripting capabilities of many IRC
66	* clients combined with social engineering; the latter could be
67	* accomplished by finding a server with a clock slower than that
68	* of the victim's server and timing the connection attempt
69	* properly.
70	*
71	* If someone gets a hacked server into your network, all bets are
72	* off.
73	*/
74
75
76	--Andrew Church
77	<A HREF="http://www.ircservices.za.net/mailman/listinfo/ircservices">achurch at achurch.org</A>
78	<A HREF="http://achurch.org/">http://achurch.org/</A>
79	</PRE>
80
81	<!--endarticle-->
82	<HR>
83	<P><UL>
84	<!--threads-->
85	<LI>Previous message: <A HREF="003595.html">[IRCServices] unhappy restart quirks with 5.0.10 (was 5.0.9)
86	</A></li>
87	<LI>Next message: <A HREF="003596.html">[IRCServices] Problem with v5.0.11
88	</A></li>
89	<LI> <B>Messages sorted by:</B>
90	<a href="date.html#3597">[ date ]</a>
91	<a href="thread.html#3597">[ thread ]</a>
92	<a href="subject.html#3597">[ subject ]</a>
93	<a href="author.html#3597">[ author ]</a>
94	</LI>
95	</UL>
96
97	</body></html>