--- /dev/null
+<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2//EN">
+<HTML>
+ <HEAD>
+ <TITLE> [IRCServices] /ns ghost exploit
+ </TITLE>
+ <LINK REL="Index" HREF="index.html" >
+ <LINK REL="made" HREF="mailto:ircservices%40ircservices.za.net?Subject=%5BIRCServices%5D%20/ns%20ghost%20exploit&In-Reply-To=">
+ <META NAME="robots" CONTENT="index,nofollow">
+ <META http-equiv="Content-Type" content="text/html; charset=us-ascii">
+ <LINK REL="Previous" HREF="002850.html">
+ <LINK REL="Next" HREF="002852.html">
+ </HEAD>
+ <BODY BGCOLOR="#ffffff">
+ <H1>[IRCServices] /ns ghost exploit</H1>
+ <B>Andrew Church</B>
+ <A HREF="mailto:ircservices%40ircservices.za.net?Subject=%5BIRCServices%5D%20/ns%20ghost%20exploit&In-Reply-To="
+ TITLE="[IRCServices] /ns ghost exploit">achurch at achurch.org
+ </A><BR>
+ <I>Thu Mar 14 19:17:00 PST 2002</I>
+ <P><UL>
+ <LI>Previous message: <A HREF="002850.html">[IRCServices] What is wrong?
+</A></li>
+ <LI>Next message: <A HREF="002852.html">[IRCServices] /ns ghost exploit
+</A></li>
+ <LI> <B>Messages sorted by:</B>
+ <a href="date.html#2851">[ date ]</a>
+ <a href="thread.html#2851">[ thread ]</a>
+ <a href="subject.html#2851">[ subject ]</a>
+ <a href="author.html#2851">[ author ]</a>
+ </LI>
+ </UL>
+ <HR>
+<!--beginarticle-->
+<PRE> C'est la vie; I don't see this as a problem Services needs to handle.
+If you have particular users doing this and it annoys other users, deal
+with the trouble causers individually.
+
+ --Andrew Church
+ <A HREF="http://www.ircservices.za.net/mailman/listinfo/ircservices">achurch at achurch.org</A>
+ <A HREF="http://achurch.org/">http://achurch.org/</A>
+
+>><i> Andrew Church wrote
+</I>>><i> Services does not use SVSKILL in the first place,
+</I>><i>
+</I>><i>Sorry, my mistake. I meant Services will issue a kill for that user.
+</I>><i>
+</I>>><i> and
+</I>>><i> does not allow
+</I>>><i> GHOST anyway without a password unless the calling user is on
+</I>>><i> the access
+</I>>><i> list of the target nick _and_ the nick does not have the
+</I>>><i> SECURE option set.
+</I>><i>
+</I>><i>I know this. It still does not prevent a user using services to kill
+</I>><i>another user just because they happen to use their nickname.
+</I>><i>
+</I>><i>Nick A register A and also registers or links B, C, D, E.
+</I>><i>
+</I>><i>A new user connects using nick B and would get the usual warning from
+</I>><i>services. However, before they have the opportunity to choose a new
+</I>><i>nickname, A who is identified and has the password for B issues /ns ghost B
+</I>><i>password either manually or from a script which kills that user from the
+</I>><i>network. I didn't highlight a problem with the way services checks a users
+</I>><i>right to issue the command, merely in the way that the command is open to
+</I>><i>abuse.
+</I>><i>
+</I>>><i> Have you modified Services?
+</I>><i>
+</I>><i>No.
+</I>><i>
+</I>><i>Mark.
+</I>><i>
+</I>>><i>
+</I>>><i> --Andrew Church
+</I>>><i> <A HREF="http://www.ircservices.za.net/mailman/listinfo/ircservices">achurch at achurch.org</A>
+</I>>><i> <A HREF="http://achurch.org/">http://achurch.org/</A>
+</I>>><i>
+</I>>><i> >Something I recently became aware of was users "abusing" the
+</I>>><i> ghost command.
+</I>>><i> >
+</I>>><i> >When the ghost command is issued, Services will SVSKILL the
+</I>>><i> user from the
+</I>>><i> >network. However, the new trend appears to be setting up a
+</I>>><i> notify script,
+</I>>><i> >which will automatically ghost any user trying to use a
+</I>>><i> given nickname.
+</I>>><i> >This quickly became popular. How this came to my attention
+</I>>><i> is that a new
+</I>>><i> >user was trying to access the network but was repeatedly
+</I>>><i> killed by the
+</I>>><i> >ghost command.
+</I>>><i> >
+</I>>><i> >Use of "kill immediate" should be sufficient for those users
+</I>>><i> who do not
+</I>>><i> >want people using their nicknames and can be handled by
+</I>>><i> services with a
+</I>>><i> >nick change so I do not see use of the command in this manner as
+</I>>><i> >beneficial.
+</I>>><i> >
+</I>>><i> >One way to remove this exploit which seems the least complex
+</I>>><i> to actually
+</I>>><i> >manage is to only trigger the ghost if the target is
+</I>>><i> currently identified.
+</I>>><i> >
+</I>>><i> >This would mean that in the event a user got disconnected
+</I>>><i> before they were
+</I>>><i> >able to identify, they would be unable to remove a real 'ghost' on
+</I>>><i> >reconnect with the ghost command, but they could use 'recover'
+</I>>><i> >and 'release' instead. I believe that the 'recover' will
+</I>>><i> "guest" a user
+</I>>><i> >where NSForceNickChange is enabled.
+</I>>><i> >
+</I>>><i> >--
+</I>>><i> >Mark.
+</I>><i>
+</I>><i>--
+</I>><i>Mark.
+</I>><i>
+</I>><i>
+</I>><i>------------------------------------------------------------------
+</I>><i>To unsubscribe or change your subscription options, visit:
+</I>><i><A HREF="http://www.ircservices.za.net/mailman/listinfo/ircservices">http://www.ircservices.za.net/mailman/listinfo/ircservices</A>
+</I>
+</PRE>
+
+<!--endarticle-->
+ <HR>
+ <P><UL>
+ <!--threads-->
+ <LI>Previous message: <A HREF="002850.html">[IRCServices] What is wrong?
+</A></li>
+ <LI>Next message: <A HREF="002852.html">[IRCServices] /ns ghost exploit
+</A></li>
+ <LI> <B>Messages sorted by:</B>
+ <a href="date.html#2851">[ date ]</a>
+ <a href="thread.html#2851">[ thread ]</a>
+ <a href="subject.html#2851">[ subject ]</a>
+ <a href="author.html#2851">[ author ]</a>
+ </LI>
+ </UL>
+
+</body></html>