www.IRC-Junkie.org – IRC News

All about Internet Relay Chat

Category Archives: Hack

KVIrc 3.4.0 irc:// URI handler format string vulnerability – reloaded

No, not only mIRC has bugs ;)

For the second time, after a similar vulnerability in 2007, the irc:// URI-handler of KVIrc 3.4.0 is vulnerable to exploitation.

For successful exploitation of the security hole the user needs to be tricked to follow a maliciously crafted irc:// link – “Failed exploit attempts may cause denial-of-service conditions.” at least, or might even enable the attacker “to execute arbitrary code with the privileges of the user running the affected application.” - which we all know is Administrator for 95% of all Windows machines.

However, this post on the KVIrc mailing list claims the bug is invalid and KVIrc 3.4.x is not affected but after a short test i can at least confirm that there indeed is an issue that causes a DoS because KVIrc crashes after opening the malformed link.

The usual suggestion to upgrade to the latest version to be not prone to that vulnerability is superfluous at least for the Windows-version of KVIrc, as 3.4.0 is the latest “stable” release that can be obtained from the website.

Update 11/7/08: There is now an update to version 3.4.2 available for download.

EFNet IRC net and Website get hacked

www.irc-junkie.org tried to get in touch with EFNet to comment on the happenings to no avail but got instead contacted by the hackers themselves.

The hackers, identifying themselves as “2l8″, allegedly killed off the IRCd on efnet.nl and relinked with their “ircd with a custom-made patch iHaq wrote just for the occasion. Amongst other nifty features it had kill protection, automatic opering, hardcoded spoof (incase anyone got in and looked at hte config files) for us (root@your.servers) and a more dynamic, yet coded in spoof that gave every connected user a host like OWNED-#.MASSIVE.2l8.OWNAGE”.

When asked about their motives they replied “The current situation of morons running alot of the network … is unacceptable. It’s no wonder kids resort to DDoSing IRC-servers. We felt it was time to send a clear message: We Own You. We will always own you … Being on IRC is no different from being in a large crowd, there is no reason for you to act like you are 12 and a bitch.”

They however stated that they themselves are EFNet regulars “Some of us have been on EFnet for 12 years, so that would be a yes. With the current state of affairs tho, we might just pound it into the stone age and go hang-out on freenode or something were people actually behave like regurlar human beings …”

Asked about the techniques behind the hack they replied “This attack has concsisted of using privately developed Linux and FreeBSD remote kernel bugs, as well as certain daemon bugs(apache,openssh,bind,etc) as well as webapp bugs, and sniffing. However the technique so far has been to rely on people’s totally predictable egos. Most of these folks have an ego the seize of the Great wall of China.”

Talking about the hacked webpage http://www.efnet.org, which displayed gayporn titled “oper convention” for two days, they told “The EFnet admins (and opers + groupies) thought we played with DNS cache poisoning for days to get their website to show gay porn, however, we never even attempted that, as we owned their nameservers:)”

Closing the email they wrote “The 2l8 team, want to take his opurtunity to tell everyone that a little love and respect goes a long way. Admins, opers or users, you are all still just human, us included.

- It’s never 2l8 to start being nice.

- The 2l8 team: iHaq, iRoot, iPwn, iSniff.”

Of course, any comments from the EFNet side are more than welcome and if need be will be handled strictly confidential.

IRCu Family IRCd DoS Exploit

Last month a new bug have been found in IRCu family IRCd’s which can be exploited leading to a crashing server.

In this post on Milw0rm the bug and exploit is explained. IRCu (<= 2.10.12.12) and many derivatives are affected.

IRC-Junkie asked Slug, who found the bug and described it on Milw0rm, how he found the bug. “Core dump from one of our servers,” Slug starts. “send_user_mode in s_user.c does not check that the argument after a +r mode is present, if it is not than the NULL sentinel may be missed, causing the function to iterate over the boundary of the array.”

One way to exploit the bug would be using the command with string /mode nickname i i i i i i i i i i i i i i i r r r r s. Doing so would core the server.

Only cure is to upgrade to the latest version of the IRCd with fix for this exploit.

Majority of Junk Traffic Consists of DDoS Targetted at IRC Servers

Security Service Provider Arbor Networks studied the amount of junk traffic over the total sum of Internet traffic, and found some remarkable figures when it comes to IRC traffic.

Over the past 1,5 year the company analyzed data of 70 ISP’s. The findings show that on average 4% of all traffic is junk, such as spam and DDoS attacks topping 1,5TB of data, per second.

Of this 4%, on average 1300 DDoS attacks daily makes halve of the junk traffic. But on occasions, DDoS can make 5% of the total Internet traffic. Of the monitored DDoS attacks the majority consists of TCP SYN floods and ICMP floods targeted to IRC servers.

The same survey showed email traffic making 1,5% of total traffic. Of this, 66% is spam.

The report with findings is not yet publicized but the company says it will be available soon.

IRC Network Admin: More Then You Bargained For

Many people wish to have their own IRC network. Once a basic network is setup they advertise the network to gain users, in the hope many will find and start using it. But what if they abuse your good intentions and start using your infrastructure to host bots engaged in illegal activities? Then things can start to become a real life nightmare. In this article we follow Dewd, from network admin to a suspect criminal with a 10 year prison sentence hanging above his head.

Dewd started his network in 2005, and as many fresh network admins do, started advertising the network in as many places he could find such as SearchIRC and mIRC’s servers.ini file.

With the advertising came users, including users he had not wished for. “Two pirates from Undernet have come and started to load their bots with fake nickname and fake channelname (#warez-rose) in secret mode (+s) trying to make it look like peer-to-peer bots but these bots wasn’t for peer-to-peer I think.”

Dewd installed IRC Defender to remove the bots from his network which worked well. But naturally, the bots would not be stopped from trying to connect to the network. Despite trying to keep his network free from such influences Dewd was arrested late February, along with 16 other suspects by S�ret� du Qu�bec, Canadian’s provincial police. The arrests included the two users loading the bots of which one is still in custody, according to Dewd. All 17 people are seen as suspect members of “a vast computer piracy network” as a police report explained.

“Over 100 countries on all of the continents are affected. Current damage to computer infrastructure is estimated at more than $45 million”, the police report explains. The malicious users infected computers with malware in order to steal private data, DDoS, phising and use them for spamming.

“During the 17 searches conducted today, eight suspects were apprehended with an arrest warrant and will appear in court. The police questioned the other nine suspects, who have been released by way of summons.” Maximum sentence for these crimes is 10 years in prison.

Dewd is not one of the eight, but he is not yet cleared as police is still investigating his computers. “The charge against me it’s the uses illegally of a computer.”

“We recommend that anyone who suspects that his computer has been hacked consult a computer specialist” the police report ends. This of course, is an advice IRC-Junkie fully recommends!

Dewd ends, “I’m under investigation since 2006, all what I do is downloading/chat a bit/watching funny video on the web… I’m not that kind of person who DDoS websites. Peer-to-peer isn’t illegal in Canada. I download movies for me and my girl friend, also my kids. I’m not doing money with it, I download because I doesn’t have enough of money for buy them.”

An interview with Dewd for local media can be found here (French). The English language police report can be found here