|
|
| Author |
Message |
Trixar_za
Eleet
Joined: 10 Dec 2006
Posts: 626
Location: South Africa
|
 Posted: Nov 27, 2011 2:23am Post subject: IRC Defender exploited |
 |
|
Thunderhacker recently revealed on the IRC-Security mailing list that IRC Defender has an exploit and advices everybody to stop using it NOW. For those that don't know, here's the original email:
| Code: | From: Thunderhacker <irc-security@***censored***.com>
To: IRC Security Discussion List <irc-security@lists.irc-unity.org>
Subject: [irc-security] 0-day arbitrary code execution exploit in IRC Defender
Date: Sat, 26 Nov 2011 12:43:10 -0600
Reply-To: IRC Security Discussion List <irc-security@lists.irc-unity.org>
Sender: irc-security-bounces@lists.irc-unity.org
User-Agent: Mozilla/5.0 (X11; U; Linux x86_64; en-US;
rv:1.9.2.23) Gecko/20110921 Thunderbird/3.1.15
Before you read any farther, if you have defender running on your network shut
it down. Go do it now. Not tomorrow, not later, RIGHT NOW.
While you're in your shell check for anything that would indicate a recent
intrusion (show a process list and check for rogue processes; check modification
times for files/directories and look at the files in any directory with a
modification time on or after November 15; check your
~/.ssh/authorized_keys file for rogue entries. If you don't use SSH client keys
to log in to your shell this file should be empty.)
There currently exists multiple arbitrary code execution exploits in IRC
Defender. There is a confirmed in the wild exploit for one of the holes in the
InspIRCd 1.2 link module. There are reports of other possible exploits in the
InspIRCd 1.2 link module and exploits in the UnrealIRCd link module.
I have attached to this post a fixed copy of the InspIRCd link module. Note
that this patches the bugs related to the InspIRCd link module but not those
related to the UnrealIRCd link module. Defender attached to UnrealIRCd is still
vulnerable.
A far better solution is to simply stop using IRC Defender. It is currently
unmaintained (AFAIK) and there are very few things (if any) it can do that
InspIRCd + Atheme services can't do. (If anyone is currently maintaining it
please post that fact to the list. I probably have a more updated copy of the
code than what you forked.)
Anyone saying there is an exploit in Anope is lying. The exploit is in IRC
Defender.
______________________________________________
irc-security mailing list
irc-security@lists.irc-unity.org
http://lists.irc-unity.org/mailman/listinfo/irc-security |
For those that don't know this: Thunderhacker is the last known Maintainer of IRC Defender (because a Jimmy on the mailing list didn't).
Anyway, now you all know 
[censored the original sender's email address, don't think they'd appreciate spam due to some spider coming across these forums and adding it to their own lists -PingBad] |
|
| Back to top |
|
 |
Willaim
Idler
Joined: 27 Jun 2003
Posts: 322
Location: IRC
|
| Posted: Nov 27, 2011 2:57am Post subject: |
|
|
Thanks for the info!
Signed up & turned off Defender. |
|
| Back to top |
|
|
Bertrum
Eleet
Joined: 30 Mar 2008
Posts: 573
Location: Venus
|
| Posted: Nov 28, 2011 6:37am Post subject: |
|
|
Trixar are you going to add Defender to your list of IRC software that you want to fix?  |
|
| Back to top |
|
|
phrozen77
Newbie
Joined: 13 Jul 2004
Posts: 99
Location: There!! A 3-headed monkey, right behind you!
|
|
| Back to top |
|
|
Trixar_za
Eleet
Joined: 10 Dec 2006
Posts: 626
Location: South Africa
|
| Posted: Nov 28, 2011 10:55am Post subject: |
|
|
You could add that the original poster was named Thunderhacker and that he was the last known maintainer of IRC Defender.
| Bertrum wrote: | | Trixar are you going to add Defender to your list of IRC software that you want to fix? |
Er... No. Some things are meant to be left broken |
|
| Back to top |
|
|
PingBad
Post Whore
Joined: 05 Feb 2005
Posts: 3085
Location: New Zealand
|
| Posted: Nov 28, 2011 12:01pm Post subject: |
|
|
| Trixar_za wrote: | | Er... No. Some things are meant to be left broken |
I could say a lot to that... |
|
| Back to top |
|
|
Trixar_za
Eleet
Joined: 10 Dec 2006
Posts: 626
Location: South Africa
|
| Posted: Nov 29, 2011 4:30pm Post subject: |
|
|
Funny enough, I've actually tried to fix IRC Defender before.
Simply put, IRC Defender is just really badly written. In some cases it doesn't sanitize the data it sends or receives. The downside to that? It can be used to send commands it shouldn't from the IRCd and hosting server's side. To correct this behaviour would require a complete rewrite and to me IRC Defender just isn't worth that kind of effort. Hell, IRC Defender doesn't do anything that other services cannot do better nor does some of it's user checks make any logical sense. Rather use something better like Omega. |
|
| Back to top |
|
|
|
Register
Log in
