A few days ago, someone in #kde on the Freenode IRC network found a strange bug, apparently affecting some Netgear and Linksys routers. The message DCC SEND "string" 0 0 0 causes some NG routers to drop the irc connection. Sounds like the recent feature/bug in Symantec’s “firewall”. The first site credited with the release of this exploit can be found at:
http://weblog.frexx.de/2006/03/03/security-issues/ However, after an investigation by Romiir Labs, we have determined the exploit goes even deeper then the script kiddie exploit of DCC SEND "string" 000 I have warned a few networks 17 hours ago about the entire vulnerability and how to block it completely, some listened, some didn't. Anyways solutions for you if your on one of these networks is to use a port other then 6667 for irc, and then you won't be vulnerable (such as an ssl port). The other fix is to disable the SPI firewall on your unit as this also makes you invulnerable. If your an IRCop and want to block the vulnerability the following command in UnrealIRCD works wonderfully:
/spamfilter + cpnNqat block - Router_Exploit! DCC SEND [^ ]{8,} ([^ ]+ +){2,}.+$
Now on to the juicy details of the exploit... The exploit effects 614 and 624 router ranges from netgear and apparently some linksys routers too. The side effects range from an irc disconnect, to a complete router crash. There are currently 2 versions of the exploit: In both cases DCC SEND needs to be all capital letters... Version 1: It seems DCC SEND followed by any 14 or more characters does the trick, so even "DCC SEND kfdsjkfklafjksdkfssjkfsjkl" works. Version 2 According to the irc-security mailing list and Simon Arlott: Quote:
After more investigation, the trigger is: “DCC SEND text1 text2″ at the end of the line, where text1 contains no spaces and is at least 8 bytes, and text2 is at most eight bytes and contains at least 3 spaces.
~ Bringing you the full story - Romiir Labs Staff Update: Apparently the above block blocks some DCC transfers, in order to prevent this you can drop the p which will allow it to be private messaged, this still keeps the exploiting to a mininium, as no one knows who does and does not have netgear equipment if you blocked this early on. So you get this:
/spamfilter + cnNqat block - Router_Exploit! DCC SEND [^ ]{8,} ([^ ]+ +){2,}.+$ If someone can write some better regex that won't block many dcc's that would be lovely, you can put it in a comment here, or send it to me via normal methods.
|
). Please check out this week's new submission and give it a rating! Enjoy! Smith 