1 <!DOCTYPE HTML PUBLIC
"-//W3C//DTD HTML 3.2//EN">
4 <TITLE> [IRCServices] /ns ghost exploit
6 <LINK REL=
"Index" HREF=
"index.html" >
7 <LINK REL=
"made" HREF=
"mailto:ircservices%40ircservices.za.net?Subject=%5BIRCServices%5D%20/ns%20ghost%20exploit&In-Reply-To=">
8 <META NAME=
"robots" CONTENT=
"index,nofollow">
9 <META http-equiv=
"Content-Type" content=
"text/html; charset=us-ascii">
10 <LINK REL=
"Previous" HREF=
"002850.html">
11 <LINK REL=
"Next" HREF=
"002852.html">
13 <BODY BGCOLOR=
"#ffffff">
14 <H1>[IRCServices] /ns ghost exploit
</H1>
16 <A HREF=
"mailto:ircservices%40ircservices.za.net?Subject=%5BIRCServices%5D%20/ns%20ghost%20exploit&In-Reply-To="
17 TITLE=
"[IRCServices] /ns ghost exploit">achurch at achurch.org
19 <I>Thu Mar
14 19:
17:
00 PST
2002</I>
21 <LI>Previous message:
<A HREF=
"002850.html">[IRCServices] What is wrong?
23 <LI>Next message:
<A HREF=
"002852.html">[IRCServices] /ns ghost exploit
25 <LI> <B>Messages sorted by:
</B>
26 <a href=
"date.html#2851">[ date ]
</a>
27 <a href=
"thread.html#2851">[ thread ]
</a>
28 <a href=
"subject.html#2851">[ subject ]
</a>
29 <a href=
"author.html#2851">[ author ]
</a>
34 <PRE> C'est la vie; I don't see this as a problem Services needs to handle.
35 If you have particular users doing this and it annoys other users, deal
36 with the trouble causers individually.
39 <A HREF=
"http://www.ircservices.za.net/mailman/listinfo/ircservices">achurch at achurch.org
</A>
40 <A HREF=
"http://achurch.org/">http://achurch.org/
</A>
42 >><i> Andrew Church wrote
43 </I>>><i> Services does not use SVSKILL in the first place,
45 </I>><i>Sorry, my mistake. I meant Services will issue a kill for that user.
48 </I>>><i> does not allow
49 </I>>><i> GHOST anyway without a password unless the calling user is on
50 </I>>><i> the access
51 </I>>><i> list of the target nick _and_ the nick does not have the
52 </I>>><i> SECURE option set.
54 </I>><i>I know this. It still does not prevent a user using services to kill
55 </I>><i>another user just because they happen to use their nickname.
57 </I>><i>Nick A register A and also registers or links B, C, D, E.
59 </I>><i>A new user connects using nick B and would get the usual warning from
60 </I>><i>services. However, before they have the opportunity to choose a new
61 </I>><i>nickname, A who is identified and has the password for B issues /ns ghost B
62 </I>><i>password either manually or from a script which kills that user from the
63 </I>><i>network. I didn't highlight a problem with the way services checks a users
64 </I>><i>right to issue the command, merely in the way that the command is open to
67 </I>>><i> Have you modified Services?
74 </I>>><i> --Andrew Church
75 </I>>><i> <A HREF=
"http://www.ircservices.za.net/mailman/listinfo/ircservices">achurch at achurch.org
</A>
76 </I>>><i> <A HREF=
"http://achurch.org/">http://achurch.org/
</A>
78 </I>>><i> >Something I recently became aware of was users
"abusing
" the
79 </I>>><i> ghost command.
81 </I>>><i> >When the ghost command is issued, Services will SVSKILL the
82 </I>>><i> user from the
83 </I>>><i> >network. However, the new trend appears to be setting up a
84 </I>>><i> notify script,
85 </I>>><i> >which will automatically ghost any user trying to use a
86 </I>>><i> given nickname.
87 </I>>><i> >This quickly became popular. How this came to my attention
88 </I>>><i> is that a new
89 </I>>><i> >user was trying to access the network but was repeatedly
90 </I>>><i> killed by the
91 </I>>><i> >ghost command.
93 </I>>><i> >Use of
"kill immediate
" should be sufficient for those users
94 </I>>><i> who do not
95 </I>>><i> >want people using their nicknames and can be handled by
96 </I>>><i> services with a
97 </I>>><i> >nick change so I do not see use of the command in this manner as
98 </I>>><i> >beneficial.
100 </I>>><i> >One way to remove this exploit which seems the least complex
101 </I>>><i> to actually
102 </I>>><i> >manage is to only trigger the ghost if the target is
103 </I>>><i> currently identified.
105 </I>>><i> >This would mean that in the event a user got disconnected
106 </I>>><i> before they were
107 </I>>><i> >able to identify, they would be unable to remove a real 'ghost' on
108 </I>>><i> >reconnect with the ghost command, but they could use 'recover'
109 </I>>><i> >and 'release' instead. I believe that the 'recover' will
110 </I>>><i> "guest
" a user
111 </I>>><i> >where NSForceNickChange is enabled.
113 </I>>><i> >--
114 </I>>><i> >Mark.
120 </I>><i>------------------------------------------------------------------
121 </I>><i>To unsubscribe or change your subscription options, visit:
122 </I>><i><A HREF=
"http://www.ircservices.za.net/mailman/listinfo/ircservices">http://www.ircservices.za.net/mailman/listinfo/ircservices
</A>
130 <LI>Previous message:
<A HREF=
"002850.html">[IRCServices] What is wrong?
132 <LI>Next message:
<A HREF=
"002852.html">[IRCServices] /ns ghost exploit
134 <LI> <B>Messages sorted by:
</B>
135 <a href=
"date.html#2851">[ date ]
</a>
136 <a href=
"thread.html#2851">[ thread ]
</a>
137 <a href=
"subject.html#2851">[ subject ]
</a>
138 <a href=
"author.html#2851">[ author ]
</a>