On Tue, 31 Jul 2001, Darren Reed wrote: > Now, IF I understand the exploit correctly then there are _serious_ > problems in that proxy's validation of messages. First and foremost > it is _NOT_ checking to make sure it is a complete PRIVMSG as is found > within the IRC protocol. If it were then the exploit would be more > like: > > 0x0a:foo PRIVMSG bar :^ADCC params^A0x0d0x0a > > And that's ignoring things like it should have seen the client send a > "NICK" command, maybe "PASS" as well as "USER", etc, and even expect > back responses FROM the IRC server indicating that the client had been > able to successfully register BEFORE allowing any DCC proxying. This does not really give that much. As discussed in our advisory, it is possible to generate 'good loking' USER and NICK sequence, and 'good looking' IRC server response. Two things here - first of all, most of web browsers ignore first line sent by remote host - the banner - and accept it even if it does not start with valid ftp protocol numeric code. Also, response fragmentation (newlines in the middle of TCP packets, and so on), can be used to make HTTP client think it sees FTP messages and the firewall to think it sees IRC conversation. Sample conversation might look like that: > ":server 255 user :Hello\r\n331 Username OK" (ignored by web browser) < "USER user +iw user user\r\nNICK user\r\n" (as a result of ftp://USER%20user%20...@server:6667/...) > ":server 255 user :You are welcome\r\n210 Something" (client will usually join this together with remaining 331 Username OK from previous message; firewall would probably parse it as-is, as IRC message) ...and so on, and so on. Not to mention using Java applets for this purpose. Very tight protocol validation makes the attack somewhat more complicated, but does not solve the question of sender's intentions =) -- _____________________________________________________ Michal Zalewski [lcamtuf@bos.bindview.com] [security] [http://lcamtuf.coredump.cx] <=-=> bash$ :(){ :|:&};: =-=> Did you know that clones never use mirrors? <=-=
