IRC-Junkie.org – IRC News

All about Internet Relay Chat

UnrealIRCd Survey

As the #1 most used IRC daemon on most networks, UnrealIRCd as we all know is a great daemon. It has many features, easy configureation and good irc support. But as IRC grows (or dies depending on how you look at it), there are more and more IRC daemons being released. With all of the long time IRC users learning to code, they decide to branch out either from the unrealircd source or from another IRC daemon source. With that being said, UnrealIRCd is slowly moving down the popularity list.

So to improve the UnrealIRCd, Syzop (Bram Matthys), has decided to launch an online survey.

This survey is not only for those who have dealt with UnrealIRCd as a developer, but for anyone and everyone who has ever been on an IRC network, that runs UnrealIRCd, either as just a user, an admin, or a developer. The results from the survey will be used by the UnrealIRCd development team to know what areas to focus more time on in the Unreal3.4.x series

The purpose of this survey is to give us a good idea of how people think about UnrealIRCd, how it’s being used, and – even more important – in what areas we should improve.
–Syzop, Project Leader. Developer/maintainer of UnrealIRCd 3.2.x and 3.4.x

So if you like, dislike, or want UnrealIRCd to be improved in any way, shape or form, this is your time to fill out this survey. It takes about 15 minutes of your time to complete (only if you end up having to answer all 33 questions), But some questions are skipped depending on your answer for some questions.

If you have 15 minutes to spare right now, we encourage you to visit http://survey.unrealircd.com

UnrealIRCd 3.2.9 – New stable version after 2 years

UnrealIRCd, the IRCd that still dominates the usage statistics of all IRCds, has seen another stable release and is now at version 3.2.9.

After 2 release candidates and with 212 changes and bugfixes – almost the same amount as the last three stable releases combined – among which is a “substantial amount of new features” as Syzop writes in their announcement.

He thanks everyone that made this release possible but especially mentions binki who did a “considerable amount of work to make this release possible”.

And indeed, there is a large amount of changes – for example:

  • Extended Bans (new modes introduced, ban stacking behaviour)
  • Extended Invite Exceptions / Invex
  • New Channelmode +Z which works in conjunction with +z (SSL only) and is set once every joined user is on SSL which might not be the case during netsplits/-joins
  • Remote MOTD support
  • Remote includes caching so that an old version of a remote include is loaded in case the webserver containing the include is down
  • /rehash -global – rehashes all servers at once
  • STARTTLS – connect to a “regular” port SSL encrypted
  • IPv6 clones detection support, defaults to /64

A small excerpt of the bugs that have been fixed:

  • Low connection frequencies (connfreq) no longer pose a problem due to reworking the corresponding code
  • IPv6 related fixes
  • an obscure crash bug that only occured rarely on outgoing connects

Work on UnrealIRCd 3.3 already has begun and is, according to development plans, the replacement for the often retried and ultimately failed rewrite which was to be released as UnrealIRCd 4.

The release announcement can be found here and the full changelog for changes since UnrealIRCd 3.2.8.1 is here (you need to scroll all the way down).

  Copyright secured by Digiprove

Some UnrealIRCd 3.2.8.1 downloads trojaned [Update 3]

Syzop of the UnrealIRCd project just posted an announcement on their mailinglist and forums that some versions of their IRCd have been compromised and had a backdoor added which went unnoticed for quite a while.

The first signs of the compromise have been traced back to November 2009 and Syzop writes that “Any Unreal3.2.8.1.tar.gz downloaded BEFORE November 10 2009 should be safe, but you should really double-check”.

Only the 3.2.8.1 source downloads (.tar.gz) are affected from this hack. Windows users, copies checked out from their CVS as well as users of older versions are safe and don’t need to check – everyone else should ensure they’re running a clean version of UnrealIRCd since the backdoor allows an attacker to issue and execute commands as the user the IRCd is running as, which essentially means your shell could easily compromised despite all other security measures.

Checking if your IRCd is one of those trojanized copies can easily be done either checking with md5sum or grep’ing the source for the backdoored code:

Run ‘md5sum Unreal3.2.8.1.tar.gz’ on it and compare the resulting sum to the checksums below:

Backdoored version (BAD) is: 752e46f2d873c1679fa99de3f52a274d
Official version (GOOD) is: 7b741e94e867c0a7370553fd01506c66

or use the command ‘grep DEBUG3_DOLOG_SYSTEM include/struct.h’ from your Unreal3.2 directory – if this outputs 2 lines you’re running the trojanized version and need to get yourself a fresh and clean copy of the IRCd and recompile it since the compromised section is in the IRCds core and “it is not possible to ‘clean’ UnrealIRCd without a restart or through a module”.

Syzop writes that they have take precautions so such a compromise can never happen again and if it does that it’ll be noticed more quickly. They’re also planning to reimplement PGP/GPG signing of the releases which “in practice (very) few people use” but “still [will] be useful for those people who do”.

Closing his announcement he writes that he’d like to “apologize about this security breach. We simply did not notice, but should have. We did not check the files on all mirrors regularly, but should have. We did not sign releases through PGP/GPG, but should have done so. Hope you’ll all continue to support UnrealIRCd”.

The full announcement can be read here and the advisory can be found here.

[Update]: Servers running the trojanized versions of UnrealIRCd should be updated as soon as possible since HD Moore, the creator of the Metasploit exploitation framework, already released a module for it – but even without that the security hole is really simple to exploit.

Also, here is a .sh script that might help you in the upgrade process – at least one user on the UnrealIRCd forums claimed it worked for him (although no kind of guarantee is given neither by the author nor by me).

[Update 2]: Syzop just posted a follow-up in which he writes that their releases are “from now on signed with GnuPG (PGP) again”.

[Update 3]: In an email to the UnrealIRCd mailinglist, Syzop elaborates on the GPG/PGP signing and says that there will be instructions on how to verify the key when you download the future releases. He also goes into some detail which precautions the team has taken that such an incident “will never ever happen again”. He rightfully criticizes certain news-outlets that claimed it was the fault of the Open Source model and even Linux (*cough*ZDNet*cough*) – some websites even confused the IRCd with EPIC softwares first-person shooter Unreal Tournament.

  Copyright secured by Digiprove

UnrealIRCd team releases patch against Firefox XPS Attack

In a posting on the UnrealIRCd project website, coder Syzop announced a module that can help mitigate and completely stop the so-called “Firefox XPS Attack” (NSFW link).

The attack, which exploits the fact that malicious JavaScript can send arbitrary data to a wide range of ports, gained publicity when it was used against the freenode network over a period of a few weeks.

Even though the Mozilla project has a blocklist of ports that are specifically not allowed to be communicated to, the port commonly used by IRC networks (6667) was not on those lists.

The attack – which ironically doesn’t affect Safari, Internet Explorer or Firefox with the NoScript extension – only works if the targeted IRC server does not use anti-spoofing measures before proceeding to the login phase.

UnrealIRCd generally is immune to the threat when it was compiled with the NOSPOOF feature which is enabled by default for the Windows builds but an option that defaults to “no” on Linux (“Do you want to enable the server anti-spoof protection?” – the first question on ./Config).

With the module you can now instantly K/G/Z:Line such connections and therefore prevent them from filling up connection slots which might cause a DoS situation before they eventually time out. For maximum efficiency it is recommended you use both the module and the NOSPOOF option, however one works fine without the other.

To test whether your IRCd is vulnerable or the implemented measures against the attack are effective you can find the code that has been used against freenode here.

Thanks for the tip go to katsklaw!

UnrealIRCd updates their IRCd to 3.2.8.1

The UnrealIRCd project released a bugfix release of version 3.2.8 and the current release is now 3.2.8.1.

The bugfix became necessary as a crash has been found in the option allow::options::noident.

In a short interview developer nate explains how the crash is being triggered and how to avoid it:

There was an issue in allow::options::noident, where if it was enabled in an allow block that a user could potentially crash a server due to a buffer overflow. As far as we’ve been able to see, there’s no risk of remote code execution as much as it just causing a segfault.  The main ways of resolving it are updating to 3.2.8.1 or simply making sure no allow blocks specifically have noident (which most by default won’t thankfully).

It is vulnerable in past versions as well before 3.2.8 as well.

Being asked how far back exactly nate says the exploit exists “at least back towards 3.2.3 (before that we wouldn’t support anyways due to exploits way back then)”.

Thanks for the tip goes to Reed Loden and to nate for taking the time to answer my questions!