Bugtraq mailing list archives

DCC HiJacking patch for BitchX 75p1

From: nailtbt () TIN IT (Alessio Orlandi)
Date: Sun, 18 Oct 1998 19:50:48 +0200


This is a multi-part message in MIME format.
--------------6EC7F8FD7D8307CEBA8B05A3
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit

Hi all,
   as recently discovered, with a simple port scan you can hijack some
of the BitchX dcc
connections. This due to the port assigning on the requesting client.
Here follows a really short patch that will fix the problem. The problem
is here:
BitchX when creates a DCC connection (listening socket) uses the
functions
connect_by_number (defined in network.c file). Passing as port 0
This means that the OS will determine the port. Now.. for mental order..
the ports will be quiet consecutive. Bad.. Bad... So.. let's add a
random value to the port returned by the system. All is now fixed.
Patch follows
-----------------------------------------------------------------------------------------

Regards
                                                          Alessio
"NaiL^d0d@ircnet/ircity" Orlandi
Thanks to: hackers@ircity Litos (you one of my best friend), Nervous,
awgn (hehe),
                                        Lordfelix (salam), Raptor,
BlackJam, kasko, antirez
         and  hackers.it@ircnet Soren, NaiF, Bonjo
----------------------------------------------------------------------------------------



--------------6EC7F8FD7D8307CEBA8B05A3
Content-Type: text/plain; charset=us-ascii; name="BitchX-DCC.patch"
Content-Transfer-Encoding: 7bit
Content-Disposition: inline; filename="BitchX-DCC.patch"

--- source/network.c
+++ source/network.c            1998/7/20 08:56:44
@@ -21,7 +21,9 @@
 #ifdef HAVE_SYS_FILIO_H
 #include <sys/filio.h>
 #endif

+/* NaiL^d0d: no hijack please, we need random bytes, in stdlib.h */
+#include <stdlib.h>

 extern char hostname[NAME_LEN+1];
 extern int  use_socks;
@@ -172,6 +172,7 @@
 memset(&name, 0, sizeof(struct sockaddr_in));
 name.sin_family = AF_INET;
 name.sin_addr.s_addr = htonl(INADDR_ANY);
 name.sin_port = htons(*portnum);
+name.sin_port+=(unsigned short)(rand() &255);

 if (bind(fd, (struct sockaddr *)&name, sizeof(name)))

--------------6EC7F8FD7D8307CEBA8B05A3--

Current thread:

[In]security in USR TotalSwitch Adam Maloney (Dec 15)
- DCC HiJacking patch for BitchX 75p1 Alessio Orlandi (Oct 18)
  - Re: DCC HiJacking patch for BitchX 75p1 Andy Dills (Dec 21)
  - Re: DCC HiJacking patch for BitchX 75p1 Ben Winslow (Dec 21)
  - Re: DCC HiJacking patch for BitchX 75p1 mikey (Dec 22)
    - Re: DCC HiJacking patch for BitchX 75p1 YounGoat (Dec 22)
- Re: [In]security in USR TotalSwitch Lou Anschuetz (Dec 21)
- <Possible follow-ups>
- Re: [In]security in USR TotalSwitch Adam Maloney (Dec 21)