Ubuntu
xchat package

To prevent dcc exploit, default port should be 8001 for irc.ubuntu.com

Bug #191691 reported by Joseph Price
10
Affects Status Importance Assigned to Milestone
xchat (Ubuntu)
Fix Released
Medium
Unassigned
xchat-gnome (Ubuntu)
Fix Released
Medium
Martin Pitt

Bug Description

Binary package hint: xchat

#ubuntu is regularly attacked by a well known exploit via ctcp.
Users with vulnerable routers can find their irc connection drop or sometimes affect the router. As well as being disruptive to the user, it disrupts the channel with the join/part messages.

Only connections to irc on port 6667 can be exploited. Freenode allows connections on several other ports and we usually suggest irc.ubuntu.com/8001

https://help.ubuntu.com/community/FixDCCExploit is the page we currently show to affected users.

The settings for the default connection when xchat is started up should be changed to irc.ubuntu.com/8001

See original description
Joseph Price (pricechild)
description: updated
description: updated
Revision history for this message
Andrea Colangelo (warp10) wrote :

I can confirm this bug, and I'm working on a patch.
Probably we can assume this is true for freenode too, that by default is reached via port 6667.

Changed in xchat-gnome:
assignee: nobody → warp10
importance: Undecided → Low
status: New → In Progress
Changed in xchat:
assignee: nobody → warp10
importance: Undecided → Low
status: New → In Progress
Andrea Colangelo (warp10)
Changed in xchat:
importance: Low → Medium
Changed in xchat-gnome:
importance: Low → Medium
Revision history for this message
DarkMageZ (darkmagez) wrote :

isn't this just security by obscurity? what will happen once hardy is released with the port changed, they will just add port 8001 to the attack.
People with vulnerable routers either need to kick their vendors ass or buy a new router. imho.

Revision history for this message
Andrea Colangelo (warp10) wrote :

Attached debdiffs fix this bug and #146434 too for both xchat and xchat-gnome. Built, installed and run in a clean Hardy Virtual Machine.

Revision history for this message
Andrea Colangelo (warp10) wrote :
Changed in xchat:
assignee: warp10 → nobody
status: In Progress → Confirmed
Changed in xchat-gnome:
assignee: warp10 → nobody
status: In Progress → Confirmed
Revision history for this message
Joseph Price (pricechild) wrote :

To DarkMageZ,

The vulnerability is not in Ubuntu, but in the router a user uses. As far as I understand it, the router believes that the information being passed through it is an instruction for it, and so attempts to interpret it. Failing, it dies and closes the connection.

The vulnerability does not exist on any port other than 6667, and so your worry about attackers doing this on 8001 is impossible.

Yes, the "real" solution is for the router manufacturers to fix their firmware, and for users to download and install this firmware. However this hasn't happened in the past couple of years, and so probably won't be happening any time soon. As explained in the original post, it would be beneficial to both end users, and the support community in #ubuntu (and other channels) if this is not an issue otb, and users don't have to go through the hassle of #ubuntu-read-topic.

Revision history for this message
Siegfried Gevatter (rainct) wrote :

On bug #146434 you say that some of the addresses that you list can't be used by everyone (gov/edu only an such). Wouldn't it be better to only list "irc.oz.org", which can be used by anyone?

Revision history for this message
Andrea Colangelo (warp10) wrote :

RainCT, I copied the whole serverlist since both xchat and xchat-gnome use the first server by default, but advanced users may find useful to find all other servers listed there. Anyway, if you think this would be unappropriate, fixing that is pretty easy.

Revision history for this message
Siegfried Gevatter (rainct) wrote :

Oh, okay. I'll upload it then.

Siegfried Gevatter (rainct)
Changed in xchat:
status: Confirmed → Fix Committed
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package xchat - 2.8.4-0ubuntu6

---------------
xchat (2.8.4-0ubuntu6) hardy; urgency=low

  * debian/patches/01_serverlist.dpatch:
    - modify default port for irc.ubuntu.com and irc.freenode.com to 8001 to
      prevent dcc exploit (LP: #191691).
    - fix Oz.net servers list wrongly referring to OzNet (LP: #146434).

 -- Andrea Colangelo <email address hidden> Thu, 14 Feb 2008 11:55:19 +0100

Changed in xchat:
status: Fix Committed → Fix Released
Revision history for this message
Martin Pitt (pitti) wrote :

Sponsoring.

Changed in xchat-gnome:
status: Confirmed → Fix Committed
assignee: nobody → pitti
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package xchat-gnome - 1:0.18-2ubuntu2

---------------
xchat-gnome (1:0.18-2ubuntu2) hardy; urgency=low

  * debian/patches/03_serverlist.patch added:
    - modify default port for irc.freenode.com to 8001 to prevent dcc exploit.
    - fix Oz.net servers list wrongly referring to OzNet (LP: #146434).
  * debian/patches/04_autojoin_ubuntu_chan.patch:
    - modify default port for irc.ubuntu.com to 8001 to prevent dcc exploit
      (LP: #191691).

 -- Andrea Colangelo <email address hidden> Thu, 14 Feb 2008 12:43:28 +0100

Changed in xchat-gnome:
status: Fix Committed → Fix Released
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.