Home | Networks | Community | Need Help? 

 
 Quick search

 
 
 RegisterRegister   Log inLog in 

IRC Defender exploited

 
Post new topic   Reply to topic    SearchIRC Forum Index -> IRCD & Network Services
Author Message
Trixar_za
Eleet
Eleet


Joined: 10 Dec 2006
Posts: 627
Location: South Africa

PostPosted: Nov 27, 2011 2:23am    Post subject: IRC Defender exploited Reply with quote

Thunderhacker recently revealed on the IRC-Security mailing list that IRC Defender has an exploit and advices everybody to stop using it NOW. For those that don't know, here's the original email:
Code:
From: Thunderhacker <irc-security@***censored***.com>
To: IRC Security Discussion List <irc-security@lists.irc-unity.org>
Subject: [irc-security] 0-day arbitrary code execution exploit in IRC Defender
Date: Sat, 26 Nov 2011 12:43:10 -0600
Reply-To: IRC Security Discussion List <irc-security@lists.irc-unity.org>
Sender: irc-security-bounces@lists.irc-unity.org
User-Agent: Mozilla/5.0 (X11; U; Linux x86_64; en-US;
 rv:1.9.2.23) Gecko/20110921 Thunderbird/3.1.15

Before you read any farther, if you have defender running on your network shut
it down.  Go do it now.  Not tomorrow, not later, RIGHT NOW.

While you're in your shell check for anything that would indicate a recent
intrusion (show a process list and check for rogue processes; check modification
times for files/directories and look at the files in any directory with a
modification time on or after November 15; check your
~/.ssh/authorized_keys file for rogue entries.  If you don't use SSH client keys
to log in to your shell this file should be empty.)

There currently exists multiple arbitrary code execution exploits in IRC
Defender.  There is a confirmed in the wild exploit for one of the holes in the
InspIRCd 1.2 link module.  There are reports of other possible exploits in the
InspIRCd 1.2 link module and exploits in the UnrealIRCd link module.

I have attached to this post a fixed copy of the InspIRCd link module.  Note
that this patches the bugs related to the InspIRCd link module but not those
related to the UnrealIRCd link module.  Defender attached to UnrealIRCd is still
vulnerable.

A far better solution is to simply stop using IRC Defender.  It is currently
unmaintained (AFAIK) and there are very few things (if any) it can do that
InspIRCd + Atheme services can't do.  (If anyone is currently maintaining it
please post that fact to the list.  I probably have a more updated copy of the
code than what you forked.)

Anyone saying there is an exploit in Anope is lying.  The exploit is in IRC
Defender.
______________________________________________
irc-security mailing list
irc-security@lists.irc-unity.org
http://lists.irc-unity.org/mailman/listinfo/irc-security

For those that don't know this: Thunderhacker is the last known Maintainer of IRC Defender (because a Jimmy on the mailing list didn't).

Anyway, now you all know Wink

[censored the original sender's email address, don't think they'd appreciate spam due to some spider coming across these forums and adding it to their own lists Wink -PingBad]
Back to top
Willaim
Idler
Idler


Joined: 27 Jun 2003
Posts: 323
Location: IRC

PostPosted: Nov 27, 2011 2:57am    Post subject: Reply with quote

Thanks for the info!

Signed up & turned off Defender.
Back to top
Bertrum
Eleet
Eleet


Joined: 30 Mar 2008
Posts: 573
Location: Venus

PostPosted: Nov 28, 2011 6:37am    Post subject: Reply with quote

Trixar are you going to add Defender to your list of IRC software that you want to fix? Razz
Back to top
phrozen77
Newbie
Newbie


Joined: 13 Jul 2004
Posts: 99
Location: There!! A 3-headed monkey, right behind you!

PostPosted: Nov 28, 2011 8:47am    Post subject: Reply with quote

Quote:

So far, at least three networks seem to have been exploited due to this flaw – the highest profile victim so far seems to be the hack of the AnonOps network which also seems to have been possible due to that flaw – contrary to the rumored Anope 0-day.


http://www.irc-junkie.org/2011-11-28/irc-defender-arbitrary-code-execution-exploit/

/plug
Back to top
Trixar_za
Eleet
Eleet


Joined: 10 Dec 2006
Posts: 627
Location: South Africa

PostPosted: Nov 28, 2011 10:55am    Post subject: Reply with quote

phrozen77 wrote:
Quote:

So far, at least three networks seem to have been exploited due to this flaw – the highest profile victim so far seems to be the hack of the AnonOps network which also seems to have been possible due to that flaw – contrary to the rumored Anope 0-day.


http://www.irc-junkie.org/2011-11-28/irc-defender-arbitrary-code-execution-exploit/

/plug
You could add that the original poster was named Thunderhacker and that he was the last known maintainer of IRC Defender. Razz
Bertrum wrote:
Trixar are you going to add Defender to your list of IRC software that you want to fix? Razz
Er... No. Some things are meant to be left broken Razz
Back to top
PingBad
Post Whore
Post Whore


Joined: 05 Feb 2005
Posts: 3157
Location: New Zealand

PostPosted: Nov 28, 2011 12:01pm    Post subject: Reply with quote

Trixar_za wrote:
Er... No. Some things are meant to be left broken Razz
I could say a lot to that... Razz
Back to top
Trixar_za
Eleet
Eleet


Joined: 10 Dec 2006
Posts: 627
Location: South Africa

PostPosted: Nov 29, 2011 4:30pm    Post subject: Reply with quote

Funny enough, I've actually tried to fix IRC Defender before.

Simply put, IRC Defender is just really badly written. In some cases it doesn't sanitize the data it sends or receives. The downside to that? It can be used to send commands it shouldn't from the IRCd and hosting server's side. To correct this behaviour would require a complete rewrite and to me IRC Defender just isn't worth that kind of effort. Hell, IRC Defender doesn't do anything that other services cannot do better nor does some of it's user checks make any logical sense. Rather use something better like Omega.
Back to top
Display posts from previous:   
Post new topic   Reply to topic    SearchIRC Forum Index -> IRCD & Network Services All times are GMT - 6 Hours
Page 1 of 1

 
 
Forum powered by phpBB
 
 © 2000 - 2008 EverythingIRC, Inc. All rights reserved. Please read our disclaimer