In this post on Milw0rm the bug and exploit is explained. IRCu (<= 2.10.12.12) and many derivatives are affected.

IRC-Junkie asked Slug, who found the bug and described it on Milw0rm, how he found the bug. “Core dump from one of our servers,” Slug starts. “send_user_mode in s_user.c does not check that the argument after a +r mode is present, if it is not than the NULL sentinel may be missed, causing the function to iterate over the boundary of the array.”

One way to exploit the bug would be using the command with string /mode nickname i i i i i i i i i i i i i i i r r r r s. Doing so would core the server.

Only cure is to upgrade to the latest version of the IRCd with fix for this exploit.

IRCu Family IRCd DoS Exploit is a post from: IRC-Junkie.org - IRC News

This post is licensed under the Creative Commons Attribution-NonCommercial-ShareAlike 3.0 Deutschland license.

Related posts:

1. GameSurge tests new IPv6 code in ircu
2. mIRC Local DCC Issue: Exploit, Vulnerability or Neither?
3. XChat Author Warns for Firefox Exploit

IPv6 support is one of the new features of ircu2.10.12, the IRC deamon which is also in use on the Undernet network.

We asked Entrope, coordinator of the ircu2.10.12 development, how the test was going so far. “We found a moderate number of problems very early in the test, but that is typical for rolling out so much new code.  In the past two weeks, we have seen only one minor problem.  It is specific to a GameSurge patch, and should be fixed by the current version of that patch.”

The users have been excited over the support for IPv6 “Between IPsec and other new features of IPv6, we think the benefits of IRC over IPv6 outweigh the possible problems”, Entrope explains.

In the IRC community there have been some concerns about the big ammount of IP addresses users have the access to with IPv6. Entrope about this issue: “The clone checking code in ircu should prevent that; the new code works on larger blocks than single IPs.  There are a few cases that it does not currently address, since those require information about end-user netblock sizes, but those should be rare and can be handled as they arise.”

GameSurge is planning to setup a second server testing this IPv6 code, and naturally, when ircu2.10.12 is being released it will be rolled out to all GameSurge servers. Also Undernet has plans to test the new ircu with the IPv6 code.

The new ircu also contains some other interesting changes. The format of the configuration file will be simplified and is based on ircd-hybrid’s one, as is the DNS resolver, new channel modes that will automatically op a user who joins with a specific key, aliases for /X and /chanserv type of commands, and

GameSurge tests new IPv6 code in ircu is a post from: IRC-Junkie.org - IRC News

This post is licensed under the Creative Commons Attribution-NonCommercial-ShareAlike 3.0 Deutschland license.

Related posts:

1. One User Causes Networkwide ISP Ban on GameSurge
2. IRC.EFNet.CH Supports IPv6
3. Troublemaker Forces GameSurge to GLine ISP

“The aim of this proposal is to develop new techniques for information gathering, analysis and modeling of chatroom communications”, the document explains. What the document did not lined out was that it was the CIA who was behind the funding.

Leland Jameson, NSF programme director said last Wednesday that the two year program will probably not see a new term.

In June 2004 the two researchers mentioned in the document , Yener and Krishnamoorthy, released a paper (NSF funded) that described a project where users on the Undernet IRC network were monitored. In the paper they described their work as “could aid (the) intelligence community to eavesdrop in chatrooms, profile chatters and identify hidden groups of chatters in a cost-effective way.”

To monitor chat on Undernet the researchers would need to actually have a client inside the channels they want to monitor. Private messaging between two users is not possible to follow for an outsider, unless the ircd contains code to do so. As the ircd in use on Undernet, ircu, is open source, this seems highly unlikely.

Al Teich, director of science and policy programmes at the American Association for the Advancement of Science has in general nothing about the CIA funding anti-terrorism, but “Whether the CIA ought to be funding research in universities in a clandestine manner is a different issue.”

Several articles can be found using Google News for further reading. Thanks to Ed for initially bringing it to my attention

Update: “Undernet has never knowingly been a part of any snooping project for the government. We were totally unaware of this”, said an Undernet official in a reaction to IRC-Junkie.

A PDF explains the initial research and includes the explanation on why they picked out #usa, #philosophy and #political on the Undernet IRC network.

Update2: People have asked me what hosts the bots are using. It is not hard to find the bots online, as the bots are not set +i at all. Doing a who *.rpi.edu quickly shows the next connection:

resh is ~camtes@opt.cs.rpi.edu

resh is Seyit A. Camtepe

End of WHO matching *.rpi.edu – 1 user(s) found

From the PDF we know Ahmet Camtepe is one of the researchers, and that camtes@cs.rpi.edu is his email address. Whoisses of the last few days show that the bots are moving around channels, and have abandoned the 3 channels mentioned in the PDF.

CIA funds monitoring of IRC (updated 2) is a post from: IRC-Junkie.org - IRC News

This post is licensed under the Creative Commons Attribution-NonCommercial-ShareAlike 3.0 Deutschland license.

Related posts:

1. Honeynet Project Releases Paper on Botnets
2. Undernet Celebrates its 15th Birthday
3. Oslo* server Duo Delinks from Undernet