a short while ago a new vulnerability became public, affecting mainly netgear routers, however i have seen recent linksys routers with the same issue as well, so it is probably not limited to a small number of products... i have seen it in action and it affected 10% of the users in that channels, so i suggest adding a spamfilter for this as i expect that, like with the noton firewall trigger some people will start spamming this on irc as well...
that still doesn't completely block the exploit though, problem is i don't know what can be changed in it, i ve seen ppl use ? instead of " .... so guess it s to early to make a watertight filter for this one
According to the irc-security mailing list and Simon Arlott:
After more investigation, the trigger is: “DCC SEND text1 text2″ at the end of the line, where text1 contains no spaces and is at least 8 bytes, and text2 is at most eight bytes and contains at least 3 spaces.
Acceptable. I didnt implement the eight byte limit on the last section, not realizing it was so significant, and since regex has no easy way to do such a thing.
Why the hell can't my signature be empty?
"Your message contains too few characters."
Ok, so it's not just DCC communications that make this exploit work
it is ANY time that the proper sequence of characters pass
through the &$#@! thing...
vis:
On my network I had this guy who was joining and dropping...over and over.
He was away from his computer at the time, so I just put a temp ban in place
with the reason: fix your client.
So when he returns he joins on another computer and is all upset about
being banned. I remove the ban, and it happens again, he tries 3 different
clients (bitchX, xchat, ircII) and only ircII can stay connected to the server.
I dont really have time to help him, so I suggest he stay with ircII until
he can figure out what is going on.
Two days pass, and he can't keep a client on the server except for ircII
finally I say "You ever use tcpdump, I wanna see what's going on?"
The first thing I notice is that xchat does a /who #channel
and he stops on one particular nickname. I ask him to do it in ircII to see if
that can duplicate it. Anyway long story short there is some idiot in the channel
with the realname: AC-DCC SEND UP-CELEBRITIES
My next question is "Do you have a netgear router?"
"Yes."
"Disable the SPI firewall please."
end of problem
naturally another ban was put in place
As a long term solution for that, you could add the user target to the spamfilters given here (just add a 'u' to the cpnNqat stuff). You should probably do the same if you spamfilter the norton exploit.
Also, here's a regex I used for this particular one:
DCC SEND [^ ]{8,} (.. .. .|.. . ..|. .. ..)$
This won't necessarily catch everything still. Like if someone sticks two spaces in a row. (I'm assuming the 3 spaces mentioned in the post earlier count against the "at most 8 bytes".)
(Then again - maybe it will - . will match space too! :P)
for some reason we don't get the correct string done to detect the xploit
all these work
DCC SEND 123456789012345
DCC SEND "123456789012345"
DCC SEND "123456789012345" 1 2 3
there might be more
the part after "dcc send" must be at least 4 digits long and can go up to 255 chars
so what would be the exact regex string to detect and interact on those?
the last we tried was
spamfilter {
regex "DCC SEND .[a-z,A-Z]{4,255}.[0-9].[0-9].[0-9]";
target { private; channel; private-notice; channel-notice; part; quit; away; topic; };
reason "bye you fukn <censored> DCC sploit fag... [glined by order of C4m] OH RLY?!?!? YA RLY!!! OH RLY?!?!? YA RLY!!! OH RLY?!?!? YA RLY!!! OH RLY?!?!? YA RLY!!! OH RLY?!?!? YA RLY!!! [mIRC exploit attempt]";
action gline;
};