RELEASE -> !RELEASE

[irc.git] / software / !RELEASES / ircservices / achurch.org / services / lists / ircservices / 2002 / 002846.html

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2//EN">
<HTML>
 <HEAD>
   <TITLE> [IRCServices] /ns ghost exploit
   </TITLE>
   <LINK REL="Index" HREF="index.html" >
   <LINK REL="made" HREF="mailto:ircservices%40ircservices.za.net?Subject=%5BIRCServices%5D%20/ns%20ghost%20exploit&In-Reply-To=">
   <META NAME="robots" CONTENT="index,nofollow">
   <META http-equiv="Content-Type" content="text/html; charset=us-ascii">
   <LINK REL="Previous"  HREF="002845.html">
   <LINK REL="Next"  HREF="002847.html">
 </HEAD>
 <BODY BGCOLOR="#ffffff">
   <H1>[IRCServices] /ns ghost exploit</H1>
    <B>Mark Hetherington</B> 
    <A HREF="mailto:ircservices%40ircservices.za.net?Subject=%5BIRCServices%5D%20/ns%20ghost%20exploit&In-Reply-To="
       TITLE="[IRCServices] /ns ghost exploit">mark at ctcp.net
       </A><BR>
    <I>Thu Mar 14 12:27:01 PST 2002</I>
    <P><UL>
        <LI>Previous message: <A HREF="002845.html">[IRCServices] /ns ghost exploit
</A></li>
        <LI>Next message: <A HREF="002847.html">[IRCServices] What is wrong?
</A></li>
         <LI> <B>Messages sorted by:</B> 
              <a href="date.html#2846">[ date ]</a>
              <a href="thread.html#2846">[ thread ]</a>
              <a href="subject.html#2846">[ subject ]</a>
              <a href="author.html#2846">[ author ]</a>
         </LI>
       </UL>
    <HR>  
<!--beginarticle-->
<PRE>&gt;<i> Andrew Church wrote
</I>&gt;<i>      Services does not use SVSKILL in the first place, 
</I>
Sorry, my mistake. I meant Services will issue a kill for that user.

&gt;<i> and 
</I>&gt;<i> does not allow
</I>&gt;<i> GHOST anyway without a password unless the calling user is on 
</I>&gt;<i> the access
</I>&gt;<i> list of the target nick _and_ the nick does not have the 
</I>&gt;<i> SECURE option set.
</I>
I know this. It still does not prevent a user using services to kill 
another user just because they happen to use their nickname.

Nick A register A and also registers or links B, C, D, E.

A new user connects using nick B and would get the usual warning from 
services. However, before they have the opportunity to choose a new 
nickname, A who is identified and has the password for B issues /ns ghost B 
password either manually or from a script which kills that user from the 
network. I didn't highlight a problem with the way services checks a users 
right to issue the command, merely in the way that the command is open to 
abuse. 

&gt;<i> Have you modified Services?
</I>
No. 

Mark.

&gt;<i> 
</I>&gt;<i>   --Andrew Church
</I>&gt;<i>     <A HREF="http://www.ircservices.za.net/mailman/listinfo/ircservices">achurch at achurch.org</A>
</I>&gt;<i>     <A HREF="http://achurch.org/">http://achurch.org/</A>
</I>&gt;<i> 
</I>&gt;<i> &gt;Something I recently became aware of was users &quot;abusing&quot; the 
</I>&gt;<i> ghost command. 
</I>&gt;<i> &gt;
</I>&gt;<i> &gt;When the ghost command is issued, Services will SVSKILL the 
</I>&gt;<i> user from the 
</I>&gt;<i> &gt;network. However, the new trend appears to be setting up a 
</I>&gt;<i> notify script, 
</I>&gt;<i> &gt;which will automatically ghost any user trying to use a 
</I>&gt;<i> given nickname. 
</I>&gt;<i> &gt;This quickly became popular. How this came to my attention 
</I>&gt;<i> is that a new 
</I>&gt;<i> &gt;user was trying to access the network but was repeatedly 
</I>&gt;<i> killed by the 
</I>&gt;<i> &gt;ghost command. 
</I>&gt;<i> &gt;
</I>&gt;<i> &gt;Use of &quot;kill immediate&quot; should be sufficient for those users 
</I>&gt;<i> who do not 
</I>&gt;<i> &gt;want people using their nicknames and can be handled by 
</I>&gt;<i> services with a 
</I>&gt;<i> &gt;nick change so I do not see use of the command in this manner as 
</I>&gt;<i> &gt;beneficial. 
</I>&gt;<i> &gt;
</I>&gt;<i> &gt;One way to remove this exploit which seems the least complex 
</I>&gt;<i> to actually 
</I>&gt;<i> &gt;manage is to only trigger the ghost if the target is 
</I>&gt;<i> currently identified. 
</I>&gt;<i> &gt;
</I>&gt;<i> &gt;This would mean that in the event a user got disconnected 
</I>&gt;<i> before they were 
</I>&gt;<i> &gt;able to identify, they would be unable to remove a real 'ghost' on 
</I>&gt;<i> &gt;reconnect with the ghost command, but they could use 'recover' 
</I>&gt;<i> &gt;and 'release' instead. I believe that the 'recover' will 
</I>&gt;<i> &quot;guest&quot; a user 
</I>&gt;<i> &gt;where NSForceNickChange is enabled.
</I>&gt;<i> &gt;
</I>&gt;<i> &gt;-- 
</I>&gt;<i> &gt;Mark.
</I>
-- 
Mark.



</PRE>

<!--endarticle-->
    <HR>
    <P><UL>
        <!--threads-->
        <LI>Previous message: <A HREF="002845.html">[IRCServices] /ns ghost exploit
</A></li>
        <LI>Next message: <A HREF="002847.html">[IRCServices] What is wrong?
</A></li>
         <LI> <B>Messages sorted by:</B> 
              <a href="date.html#2846">[ date ]</a>
              <a href="thread.html#2846">[ thread ]</a>
              <a href="subject.html#2846">[ subject ]</a>
              <a href="author.html#2846">[ author ]</a>
         </LI>
       </UL>

</body></html>