[IRCServices] Bug: Kick/ban loops

Andy Li andycandy212 at gmail.com
Sat Aug 11 19:41:35 PDT 2007 

I was playing around with an irc server and I found 2 ways to place a
user in a kickban loop:
1) placing +e ban exceptions using the extban type ~c:#channel, where
it is supported, on ircds such as Unreal.
example:
* Me sets mode: +e ~c:#otherchan
* ChanServ sets mode: +b *!*@localhost
* Test was kicked by ChanServ (AKICK by Me (User has been banned from
the channel))
* Test (adfy at hmm-FC8857E1) has joined #chan
* Test was kicked by ChanServ (AKICK by Me (User has been banned from
the channel))
* Test (adfy at hmm-FC8857E1) has joined #chan
* Test was kicked by ChanServ (AKICK by Me (User has been banned from
the channel))
etc.

My suggestion: match ~c: extbans against all channels that a user is
on before they are kicked

2) Joining a forbidden/suspended channel and then setting an +e
exception quickly by either sending the 2 commands into the same
packet so that they are processed before services can kick them, or
sending the 2 cmds quickly enough so that the lag between services/the
network makes services unable to kick the user before he does it,
either with an mirc script or some other script. This could be done
by:
a program, eg send_cmd ("JOIN #somechan\nMODE #somechan +e *!*@*");
or typing //raw join #chan $crlf mode #chan +e *!*@* in mirc.
eg:

-> Server: join #test \n mode #test +e *!*@*
* Now talking in #test
* Test sets mode: +e *!*@*
* ChanServ (services at services.hi2u.net) has joined #test
* ChanServ sets mode: +b *!*@*
* You were kicked by ChanServ (This channel may not be used.)
* Attempting to rejoin channel #test
* You were kicked by ChanServ (This channel may not be used.)
* Attempting to rejoin channel #test
etc.
This could be solved by checking for matching excepts before kicking a
user from a forbidden chan, or enabling ChanServ to stay permenantly
inside a forbidden/susp'd chan until it is usable again with
CSInhabit.

These two methods can be easily used to harass or flood other users
off of irc, and, if done on a large enough scale, crash services
and/or the network.
A warning should also be placed in the manual warning people who add
extbans to their ircd to also enable proper checking in the services.

More information about the IRCServices mailing list