1 <!DOCTYPE HTML PUBLIC
"-//W3C//DTD HTML 3.2//EN">
4 <TITLE> [IRCServices] /ns ghost exploit
6 <LINK REL=
"Index" HREF=
"index.html" >
7 <LINK REL=
"made" HREF=
"mailto:ircservices%40ircservices.za.net?Subject=%5BIRCServices%5D%20/ns%20ghost%20exploit&In-Reply-To=">
8 <META NAME=
"robots" CONTENT=
"index,nofollow">
9 <META http-equiv=
"Content-Type" content=
"text/html; charset=us-ascii">
10 <LINK REL=
"Previous" HREF=
"002845.html">
11 <LINK REL=
"Next" HREF=
"002847.html">
13 <BODY BGCOLOR=
"#ffffff">
14 <H1>[IRCServices] /ns ghost exploit
</H1>
15 <B>Mark Hetherington
</B>
16 <A HREF=
"mailto:ircservices%40ircservices.za.net?Subject=%5BIRCServices%5D%20/ns%20ghost%20exploit&In-Reply-To="
17 TITLE=
"[IRCServices] /ns ghost exploit">mark at ctcp.net
19 <I>Thu Mar
14 12:
27:
01 PST
2002</I>
21 <LI>Previous message:
<A HREF=
"002845.html">[IRCServices] /ns ghost exploit
23 <LI>Next message:
<A HREF=
"002847.html">[IRCServices] What is wrong?
25 <LI> <B>Messages sorted by:
</B>
26 <a href=
"date.html#2846">[ date ]
</a>
27 <a href=
"thread.html#2846">[ thread ]
</a>
28 <a href=
"subject.html#2846">[ subject ]
</a>
29 <a href=
"author.html#2846">[ author ]
</a>
34 <PRE>><i> Andrew Church wrote
35 </I>><i> Services does not use SVSKILL in the first place,
37 Sorry, my mistake. I meant Services will issue a kill for that user.
40 </I>><i> does not allow
41 </I>><i> GHOST anyway without a password unless the calling user is on
42 </I>><i> the access
43 </I>><i> list of the target nick _and_ the nick does not have the
44 </I>><i> SECURE option set.
46 I know this. It still does not prevent a user using services to kill
47 another user just because they happen to use their nickname.
49 Nick A register A and also registers or links B, C, D, E.
51 A new user connects using nick B and would get the usual warning from
52 services. However, before they have the opportunity to choose a new
53 nickname, A who is identified and has the password for B issues /ns ghost B
54 password either manually or from a script which kills that user from the
55 network. I didn't highlight a problem with the way services checks a users
56 right to issue the command, merely in the way that the command is open to
59 ><i> Have you modified Services?
66 </I>><i> --Andrew Church
67 </I>><i> <A HREF=
"http://www.ircservices.za.net/mailman/listinfo/ircservices">achurch at achurch.org
</A>
68 </I>><i> <A HREF=
"http://achurch.org/">http://achurch.org/
</A>
70 </I>><i> >Something I recently became aware of was users
"abusing
" the
71 </I>><i> ghost command.
73 </I>><i> >When the ghost command is issued, Services will SVSKILL the
74 </I>><i> user from the
75 </I>><i> >network. However, the new trend appears to be setting up a
76 </I>><i> notify script,
77 </I>><i> >which will automatically ghost any user trying to use a
78 </I>><i> given nickname.
79 </I>><i> >This quickly became popular. How this came to my attention
80 </I>><i> is that a new
81 </I>><i> >user was trying to access the network but was repeatedly
82 </I>><i> killed by the
83 </I>><i> >ghost command.
85 </I>><i> >Use of
"kill immediate
" should be sufficient for those users
86 </I>><i> who do not
87 </I>><i> >want people using their nicknames and can be handled by
88 </I>><i> services with a
89 </I>><i> >nick change so I do not see use of the command in this manner as
90 </I>><i> >beneficial.
92 </I>><i> >One way to remove this exploit which seems the least complex
93 </I>><i> to actually
94 </I>><i> >manage is to only trigger the ghost if the target is
95 </I>><i> currently identified.
97 </I>><i> >This would mean that in the event a user got disconnected
98 </I>><i> before they were
99 </I>><i> >able to identify, they would be unable to remove a real 'ghost' on
100 </I>><i> >reconnect with the ghost command, but they could use 'recover'
101 </I>><i> >and 'release' instead. I believe that the 'recover' will
102 </I>><i> "guest
" a user
103 </I>><i> >where NSForceNickChange is enabled.
106 </I>><i> >Mark.
119 <LI>Previous message:
<A HREF=
"002845.html">[IRCServices] /ns ghost exploit
121 <LI>Next message:
<A HREF=
"002847.html">[IRCServices] What is wrong?
123 <LI> <B>Messages sorted by:
</B>
124 <a href=
"date.html#2846">[ date ]
</a>
125 <a href=
"thread.html#2846">[ thread ]
</a>
126 <a href=
"subject.html#2846">[ subject ]
</a>
127 <a href=
"author.html#2846">[ author ]
</a>