Router exploit

These are old archives. They are kept for historic purposes only.
Post Reply
Anaconda_

Router exploit

Post by Anaconda_ »

a short while ago a new vulnerability became public, affecting mainly netgear routers, however i have seen recent linksys routers with the same issue as well, so it is probably not limited to a small number of products... i have seen it in action and it affected 10% of the users in that channels, so i suggest adding a spamfilter for this as i expect that, like with the noton firewall trigger some people will start spamming this on irc as well...

link to the exploit

this filter should work i think...

Code: Select all

spamfilter {
   regex "DCC SEND \"*\" 0 0 0";
   target { private; channel; private-notice; channel-notice; part; quit; dcc; away; topic; };
   reason "I attempted to exploit a router vulnerability";
   action kill;
}; 
Viper
Jason
Posts: 570
Joined: Mon Jun 14, 2004 5:09 pm

Post by Jason »

I assume your regex was supposed to be:

DCC SEND ".*" 0 0 0

Note the .

This is Regular Expressions, not Glob matching
Why the hell can't my signature be empty?
"Your message contains too few characters."
Anaconda_

Post by Anaconda_ »

sorry for that...

that still doesn't completely block the exploit though, problem is i don't know what can be changed in it, i ve seen ppl use ? instead of " .... so guess it s to early to make a watertight filter for this one :(
Guest

Post by Guest »

According to the irc-security mailing list and Simon Arlott:
After more investigation, the trigger is: “DCC SEND text1 text2″ at the end of the line, where text1 contains no spaces and is at least 8 bytes, and text2 is at most eight bytes and contains at least 3 spaces.
ARcanUSNUMquam @ irc.allxtremenet.net
Jason
Posts: 570
Joined: Mon Jun 14, 2004 5:09 pm

Post by Jason »

Thanks, Guest!

A much closer expression then, is this:

/spamfilter + cp kill - Router_Exploit! ^\x01DCC SEND [^ ]{8,} ([^ ]+ +){2,}.+\x01?$
Why the hell can't my signature be empty?
"Your message contains too few characters."
Ankara23
Posts: 19
Joined: Fri Feb 11, 2005 6:58 pm
Location: irc.taphouse.org
Contact:

Post by Ankara23 »

um wouldnt this be even better?

spamfilter + cpnNqat kill - Router_Exploit! DCC SEND [^ ]{8,} ([^ ]+ +){2,}.+$

I don't understand why we are using \x01 here, also the first ^ is not necessary is it? also added more than just channel/private
Jason
Posts: 570
Joined: Mon Jun 14, 2004 5:09 pm

Post by Jason »

Does the exploit work on non-DCC-related communications?

If No, my filter is fine.

If Yes, yours is better.
Why the hell can't my signature be empty?
"Your message contains too few characters."
ARcanUSNUMquam
Posts: 17
Joined: Fri Apr 01, 2005 1:31 am
Contact:

Post by ARcanUSNUMquam »

Jason: Your spamfilter is too restrictive (expansive? however you take it).

For example, it caught the following legitamate DCCs (filenames/IP/nicks removed) (x is a letter, # is a number):

Code: Select all

[17:20] -IRC.Chavicol.net- [Spamfilter] xxxxxxx!xxxxxxx@##.##.##.### matches filter '^\x01DCC SEND [^ ]{8,} ([^ ]+ +){2,}.+\x01?$': [PRIVMSG Xxxxxxxxxxxx: 'DCC SEND Xxxxxx_Of_Xxxxx_-_Xxxxxxxx_Earth.mpeg 1128022251 1024 51462656'] [Router Exploit!]

* [Spamfilter] xxxxxx!xx@ip##-###-##-###.xx.xx.xxx.net matches filter '^\x01DCC SEND [^ ]{8,} ([^ ]+ +){2,}.+\x01?$': [PRIVMSG Xxxxx#x: 'DCC SEND Xxxx_Xxxx_-_Xxxxxxxxxxx.rar 1186554088 32770 885274987'] [Router Exploit!]

[23:44] -IRC.Chavicol.net- [Spamfilter] ]{!xxxxxxxx@x###-###-###-###.xxxxxx.xxxxx.net matches filter '^\x01DCC SEND [^ ]{8,} ([^ ]+ +){2,}.+\x01?$': [PRIVMSG xxxxxx: 'DCC SEND xxxx#.wav 3346957198 1024 3480898'] [Router Exploit!]
Last edited by ARcanUSNUMquam on Tue Mar 07, 2006 2:07 am, edited 1 time in total.
ARcanUSNUMquam
Net Admin @ irc.allxtremenet.net
http://TwoAMProductions.net
Jason
Posts: 570
Joined: Mon Jun 14, 2004 5:09 pm

Post by Jason »

Acceptable. I didnt implement the eight byte limit on the last section, not realizing it was so significant, and since regex has no easy way to do such a thing.
Why the hell can't my signature be empty?
"Your message contains too few characters."
Ankara23
Posts: 19
Joined: Fri Feb 11, 2005 6:58 pm
Location: irc.taphouse.org
Contact:

more router suckage

Post by Ankara23 »

Ok, so it's not just DCC communications that make this exploit work
it is ANY time that the proper sequence of characters pass
through the &$#@! thing...
vis:
On my network I had this guy who was joining and dropping...over and over.
He was away from his computer at the time, so I just put a temp ban in place
with the reason: fix your client.

So when he returns he joins on another computer and is all upset about
being banned. I remove the ban, and it happens again, he tries 3 different
clients (bitchX, xchat, ircII) and only ircII can stay connected to the server.
I dont really have time to help him, so I suggest he stay with ircII until
he can figure out what is going on.

Two days pass, and he can't keep a client on the server except for ircII
finally I say "You ever use tcpdump, I wanna see what's going on?"
The first thing I notice is that xchat does a /who #channel
and he stops on one particular nickname. I ask him to do it in ircII to see if
that can duplicate it. Anyway long story short there is some idiot in the channel
with the realname: AC-DCC SEND UP-CELEBRITIES

My next question is "Do you have a netgear router?"
"Yes."
"Disable the SPI firewall please."
end of problem
naturally another ban was put in place
aquanight
Official supporter
Posts: 862
Joined: Tue Mar 09, 2004 10:47 pm
Location: Boise, ID

Post by aquanight »

As a long term solution for that, you could add the user target to the spamfilters given here (just add a 'u' to the cpnNqat stuff). You should probably do the same if you spamfilter the norton exploit.

Also, here's a regex I used for this particular one:

DCC SEND [^ ]{8,} (.. .. .|.. . ..|. .. ..)$

This won't necessarily catch everything still. Like if someone sticks two spaces in a row. (I'm assuming the 3 spaces mentioned in the post earlier count against the "at most 8 bytes".)

(Then again - maybe it will - . will match space too! :P)

(Of course - with targets = everything.)
C4m

this should fully work...

Post by C4m »

spamfilter {
regex "\x01DCC (SEND|RESUME)[ ]+\"(.+ ){20}";
target { private; channel; private-notice; channel-notice; part; quit; dcc; away; topic; };
reason "bye you fukn <censored> DCC sploit fag... [gline by order of C4m] OH RLY?!?!? YA RLY!!! OH RLY?!?!? YA RLY!!! OH RLY?!?!? YA RLY!!! OH RLY?!?!? YA RLY!!! OH RLY?!?!? YA RLY!!! [mIRC exploit attempt]";
action gline;
};

spamfilter {
regex "\x01DCC (SEND|RESUME).{225}";
target { private; channel; private-notice; channel-notice; part; quit; dcc; away; topic; };
reason "bye you fukn <censored> DCC sploit fag... [gline by order of C4m] OH RLY?!?!? YA RLY!!! OH RLY?!?!? YA RLY!!! OH RLY?!?!? YA RLY!!! OH RLY?!?!? YA RLY!!! OH RLY?!?!? YA RLY!!! [mIRC exploit attempt]";
action gline;
};

spamfilter {
regex "DCC SEND .*";
target { private; channel; private-notice; channel-notice; part; quit; dcc; away; topic; };
reason "bye you fukn <censored> DCC sploit fag... [gline by order of C4m] OH RLY?!?!? YA RLY!!! OH RLY?!?!? YA RLY!!! OH RLY?!?!? YA RLY!!! OH RLY?!?!? YA RLY!!! OH RLY?!?!? YA RLY!!! [mIRC exploit attempt]";
action gline;
};
aquanight
Official supporter
Posts: 862
Joined: Tue Mar 09, 2004 10:47 pm
Location: Boise, ID

Post by aquanight »

The first two have nothing to do with the router exploit here... (those are DCC exploits of older mIRC versions.)

...and the last one renders both of them redundant (by glining anyone who attempts any kind of DCC :P).
C4m

hm yes...

Post by C4m »

we just noticed that today too... =(

for some reason we don't get the correct string done to detect the xploit

all these work
DCC SEND 123456789012345
DCC SEND "123456789012345"
DCC SEND "123456789012345" 1 2 3
there might be more

the part after "dcc send" must be at least 4 digits long and can go up to 255 chars
so what would be the exact regex string to detect and interact on those?
the last we tried was

spamfilter {
regex "DCC SEND .[a-z,A-Z]{4,255}.[0-9].[0-9].[0-9]";
target { private; channel; private-notice; channel-notice; part; quit; away; topic; };
reason "bye you fukn <censored> DCC sploit fag... [glined by order of C4m] OH RLY?!?!? YA RLY!!! OH RLY?!?!? YA RLY!!! OH RLY?!?!? YA RLY!!! OH RLY?!?!? YA RLY!!! OH RLY?!?!? YA RLY!!! [mIRC exploit attempt]";
action gline;
};


help appreciated!
Post Reply