lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list] 
From: bartavelle-anti-spam-thingie at banquise.net (bartavelle)
Subject: Unreal ircd 3.2 clocking subsystem vulnerability

Software name:          Unreal ircd
Vulnerable versions:    3.2 and probably previous versions
Problem nature:         Information disclosure

Summary:
Unreal ircd is a popular irc server. One of the features it provides is
called 'ip cloaking'. The purpose of this system is to prevent hostile
irc users from getting the IP address of other users.

In order to prevent ip bruteforcing, it uses three 'keys'. However, the
hashing system is weak.

It is possible to recover the keys of several irc networks by knowing
only one clear text and hashed IP, and another hashed IP.

Details:
The IPv4 hashing scheme is the most vulnerable. Code from cloak.c
follows:

====
/* Do IPv4 cloaking here */
strlcpy(h1, host, sizeof h1);
i = 0;
for (i = 0, p = strtok(h1, "."); p && (i <= 3); p = strtok(NULL, "."), i++)
{
         strncpy(h2[i], p, 4);
}
ircsprintf(h3, "%s.%s", h2[0], h2[1]);
l[0] = ((our_crc32(h3, strlen(h3)) + KEY) ^ KEY2) + KEY3;
ircsprintf(h3, "%s.%s.%s", h2[0], h2[1], h2[2]);
l[1] = ((KEY2 ^ our_crc32(h3, strlen(h3))) + KEY3) ^ KEY;
l[4] = our_crc32(host, strlen(host));
l[2] = ((l[4] + KEY3) ^ KEY) + KEY2;
l[2] &= 0x3FFFFFFF;
l[0] &= 0x7FFFFFFF;
l[1] &= 0xFFFFFFFF;
snprintf(cloaked, sizeof cloaked, "%lX.%lX.%lX.IP", l[2], l[1], l[0]);
free(host);
return cloaked;
====

h2[0], h2[1], h2[2], h2[3] contain the four bytes of the original IP.
l[0], l[1], l[2] contain the hashed IP. Thus:

l[0] = (((crc32("1.2") + key1) ^ key2) + key3) & 0x7FFFFFFF;
l[1] = (((crc32("1.2.3") ^ key2) + key3) ^ key1) & 0xFFFFFFFF;
l[2] = (((crc32("1.2.3.4") + key3) ^ key1) + key2) & 0x3FFFFFFF;

crc32(xxx) and l[x] are is known. The three keys are used in such a way
that the n-th bit of any key does not affect bits bellow n in the hash.

We have successfully writen a program that bruteforces one bit at a
time. It takes less than one second to do that on a pentium4 1.8ghz.

Doing this on a known IP produces around 2000 possible key
combinations. It is then trivial to test them all in order to find the
working ones.

Solution:
Update to version 3.2.1

Up to date information:
http://www.bandecon.com/?action=advisory&adv=unreal

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ