View Issue Details
| ID | Project | Category | View Status | Date Submitted | Last Update |
|---|---|---|---|---|---|
| 0006456 | unreal | ircd | public | 2024-08-20 22:33 | 2024-08-21 17:24 |
| Reporter | anhtribao | Assigned To | syzop | ||
| Priority | normal | Severity | minor | Reproducibility | always |
| Status | closed | Resolution | no change required | ||
| Platform | n/a | OS | n/a | OS Version | n/a |
| Product Version | 6.1.7 | ||||
| Summary | 0006456: Remote commands with users as argument instead of servers positively answer and don't fail | ||||
| Description | Remote commands such as /VERSION <nick> return the result of /VERSION <nick's server>. The command should return a 402 ERR_NOSUCHSERVER as <nick> is not a server. When the target is an user of an u-lined server and the configuration has set::options::hide-ulines enabled, the behaviour may leak information about the hidden server name, version, etc. If the administrator has disabled /LINKS and /MAP (via hideserver or restrict-commands), the behaviour will also permit the querier to partially bypass those directives by giving out the server names. As per RFC2812 (e.g. 3.4.3 Version message), <target> should be a server (consistently with context, nature and description of the command) but the document does not state that <target> shall be a server. Affected commands: VERSION, ADMIN, RULES, STATS, MOTD, ... | ||||
| Steps To Reproduce | /VERSION <nick> | ||||
| Additional Information | From IRC client (-> sent to server, <- received from server) -> irc2.xxx VERSION AnhTay <- :irc2.xxx 351 AnhTay UnrealIRCd-6.1.7-git. irc2.<cut...> <- :irc2.xxx 005 AnhTay ACCOUNTEXTBAN=account,a AWAYLEN=307 BOT=B ... -> irc2.xxx VERSION NickServ <- :services.xxx 351 AnhTay Anope-2.0.14 services.<cut...> | ||||
| Tags | No tags attached. | ||||
| 3rd party modules | |||||
|
|
All the IRCds where I tested `/QUOTE VERSION <nick>` replied with the version of the server the nickname is connected to. The IRCds where I've tested the command: - UnrealIRCd - InspIRCd - Bahamut - Solanum - Hybrid - Plexus - Ergo So, apparently all of those IRCd convert `/QUOTE VERSION <nick>` to `/QUOTE VERSION <nick's server>`. In this case, UnrealIRCd has no power since you're directly asking the target for it's info. A feature request for hiding services servername hostname on Anope was already opened. |
|
|
The ircd (ircnet) behave as the other you cited. InspIRCd reponds the 402 if <target> is not a server. E.g on ChatSpike [sic] -> *.chatspike.net VERSION bender.chatspike.net <- :*.chatspike.net 351 AnhTay InspIRCd-3. *.chatspike.net : -> *.chatspike.net VERSION PeGaSuS <- :*.chatspike.net 402 AnhTay PeGaSuS :No such server Additional tests on more "historic" ircds: ircu and snircd (server I am on) -> atw.hu.quakenet.org VERSION atw.hu.quakenet.org <- :atw.hu.quakenet.org 351 AnhTay u2.10.12.10+snircd(1.3.4a). atw.hu.quakenet.org :B96AMU6 (another server) -> atw.hu.quakenet.org VERSION adrift.sg.quakenet.org <- :atw.hu.quakenet.org 481 AnhTay :Permission Denied: Insufficient privileges -> atw.hu.quakenet.org VERSION AnhTay (also with any other existent or non-existent nicks) <- :atw.hu.quakenet.org 481 AnhTay :Permission Denied: Insufficient privileges The behaviour described is clearly common and also might have been there for a very long time because it is present on ircd and hybrid. The behaviour on ircu tends to believe that it was patched. Apparently not a bug but I find the behaviour inconsistent and don't understand why it has been made to act like this in the first place (VERSION is a command described to get the version of a server, so why the command accepts a nick as an argument and then looks up its server instead of just replying the-thing-you-provided-is-not-found-as-a-server). |
|
|
Thanks pegasus, also for jumping in and testing :) First things first. At UnrealIRCd we don't think hiding servers improves security much so we make no attempt to do hide them in WHOIS or WHO. An exception is hide-ulines but that is not for security, that's more for like.. not pretending there is some real server linked. If you want to protect a server from DDoS by not exposing the name, or not exposing the IP actually, then have a look at https://www.unrealircd.org/docs/Security#Hidden_hub As for why nick "xyz" resolved to "server of xyz", yeah that's a very long tradition. Clients use it all the time. The most common example is "WHOIS Nick Nick", even though RFC1459 documents the WHOIS parameters as "[<server>] <nickmask>". Some clients even do "WHOIS Nick Nick" instead of "WHOIS Nick" by default for a whois because such a double whois reveals more user details, such as idle time. I think this can be closed :) |
| Date Modified | Username | Field | Change |
|---|---|---|---|
| 2024-08-20 22:33 | anhtribao | New Issue | |
| 2024-08-21 12:09 | PeGaSuS | Note Added: 0023305 | |
| 2024-08-21 15:27 | anhtribao | Note Added: 0023306 | |
| 2024-08-21 17:22 | syzop | Assigned To | => syzop |
| 2024-08-21 17:22 | syzop | Status | new => closed |
| 2024-08-21 17:22 | syzop | Resolution | open => no change required |
| 2024-08-21 17:22 | syzop | Note Added: 0023307 | |
| 2024-08-21 17:24 | syzop | Note Edited: 0023307 | |
| 2024-08-21 17:24 | syzop | Note Edited: 0023307 |
