This is the new home of the egghelp.org community forum.
All data has been migrated (including user logins/passwords) to a new phpBB version.

For more information, see this announcement post. Click the X in the top right-corner of this box to dismiss this message.

security issue with whois

Old posts that have not been replied to for several years.
Locked
d
defessus

security issue with whois

Post by defessus »

Lets say you have a botnet with a few channels, as standard no new user can get access to bot trough dcc or telnet. For each chan you give a few user that access to add users.

Now to the security issue:
A user with "party-line" access for #chan1 can do a whois on a user say me (botnet owner) and whois will report last seen, in this case #chan3. The security issue is that users in #chan1 should not know that #chan3 exists.

Does anyone have a sollution for this, whats still required is:
1, party-line access to add users
2, of course they need access to .whois to check their own users
Top
User avatar
AxS
Halfop
Posts: 46
Joined: Wed Apr 09, 2003 11:57 am

Post by AxS »

Yeah!! I had the same problem using a tcl with bass seen script. Someone typed !seen and the bot said user was last seen in #hiddenchannel

I was shocked to say the least hehehe.... whois will be the same issue. Wonder how to get around that.... hope there is a solution!
Top
User avatar
caesar
Mint Rubber
Posts: 3778
Joined: Sun Oct 14, 2001 8:00 pm
Location: Mint Factory

Post by caesar »

Well, you can use the bind filt and "change" a bit the .whois :)
Once the game is over, the king and the pawn go back in the same box.
Top
d
defessus

Post by defessus »

caesar wrote:Well, you can use the bind filt and "change" a bit the .whois :)
And create my own .whois you mean, that though would require me being good at tcl scriptng, hehe.

Part of the whois code works great and I doubt I would manage to write that, hehe. The part where it hides channel record and channel flags on users for channels that the user (who issued .whois) have no access too... (hope anyone understand that line, hehe)

Which makes it quite weird that the makers of eggdrop let this slip by.
Top
User avatar
caesar
Mint Rubber
Posts: 3778
Joined: Sun Oct 14, 2001 8:00 pm
Location: Mint Factory

Post by caesar »

Example:

Code: Select all

set allowed "bla foo bar" 

bind filt - ".whois *" dcc:allow

proc dcc:allow {idx args} { 
  global allowed 
  set usernick [idx2hand $idx]
  if {[lindex $args 1] == ""} { 
    set icmd [lindex $args 0]
    set args "$icmd "
  }
  if {[lsearch -exact [string tolower $allowed] [string tolower $usernick]] == -1} {
    putdcc $idx "What? You need '.help'"
    } else {
    return $args
  }
}
This way if the user that is not in the "allowed" list will get an "What? You need '.help'" reply :)
Once the game is over, the king and the pawn go back in the same box.
Top
d
defessus

Post by defessus »

caesar wrote: This way if the user that is not in the "allowed" list will get an "What? You need '.help'" reply :)
Yepp, that will work in the way i can limit what users can use whois, but every chanmaster in every chan need access to whois command to be able to manage its users.

And none of thoose chanmasters is supposed to know what other chnas the bots are on, since most of them are +secret.

If a user is in say 2 chans, when a chanmaster do a whois he can only see the channame of the chan he is master of, so there their code works, almost...

But what doesn't work is that at the end of the line where global flags are chown, there is a field for "LAST", and there it can show chans that the master has no right too see, since he has no flags in that chan.
Top
Locked

Return to “Archive”