IRC-Junkie.org – IRC News

Syzop of the UnrealIRCd project just posted an announcement on their mailinglist and forums that some versions of their IRCd have been compromised and had a backdoor added which went unnoticed for quite a while.

The first signs of the compromise have been traced back to November 2009 and Syzop writes that “Any Unreal3.2.8.1.tar.gz downloaded BEFORE November 10 2009 should be safe, but you should really double-check”.

In a posting on the UnrealIRCd project website, coder Syzop announced a module that can help mitigate and completely stop the so-called “Firefox XPS Attack” (NSFW link).

The attack, which exploits the fact that malicious JavaScript can send arbitrary data to a wide range of ports, gained publicity when it was used against the freenode network over a period of a few weeks.

Even though the Mozilla project has a blocklist of ports that are specifically not allowed to be communicated to, the port commonly used by IRC networks (6667) was not on those lists.

The UnrealIRCd project released a bugfix release of version 3.2.8 and the current release is now 3.2.8.1.

The bugfix became necessary as a crash has been found in the option allow::options::noident.

In a short interview developer nate explains how the crash is being triggered and how to avoid it:

There was an issue in allow::options::noident, where if it was enabled in an allow block that a user could potentially crash a server due to a buffer overflow. As far as we’ve been able to see, there’s no risk of remote code execution as much as it just causing a segfault.  The main ways of resolving it are updating to 3.2.8.1 or simply making sure no allow blocks specifically have noident (which most by default won’t thankfully).

A little less than 4 weeks after the -rc1 release, there now is a -rc2 release of UnrealIRCd 3.2.8 available where some of the still present bugs have been fixed.

Fixes in this release include a bug that prevented you from compiling the IRCd on Mac OS X , problems with OperOverride that prevented you from -q/-a’ing someone when you were halfop, an issue with SuSE Linux 10.3 on AMD64 arch where the IRCd core-dumped on start, prevention of throttling client connections and stalling the IRCd when there are big adjustments made to the systems time after starting the IRCd and, last but not least, the documentation has been updated to reflect the latest additions and changes.

And another one in the IRCd updates list – this time it’s Unreal.

After it has been announced that Stskeeps will leave the project behind there has been quite some uproar as it is one of the most widely used IRCd’s today.

The announcement was quickly followed up by nate, who explained that he will indeed continue development on version 3.3.x so the project is far away from being dead but he also noted that “Its still going to be a few months off before any code is here for base uses” as he is “the only one working on 3.3 right now”.