yet another irc related bug - netgear edition

Yes thats right, there's another bug...

Type:

quote:
DCC SEND "string" 0 0 0

On IRC, in a channel, and certain users of certain netgear products will disconnect.

Apparently it works on the 614 and 624 router ranges and apparently some linksys routers too. Its probably to do with the build in firewall/protection.

03 Mar 2006 by HM2K

18 comments

Note: Comments are disabled.

by Element @ 16 Jul 2006 02:30 pm

If your caught doing this on Rizon you will be klined. Also the quit message is (Read Error: Connection Reset by Peer). Of course that message dosen't have to relate to the bug, it could be a fault in the IRC system or someones firewall.

by Dave Myron @ 25 Jun 2006 04:50 am

Verified on a Netgear 614v6.

Also verified that switching to port 8001 on Freenode fixes it.

by Eulex @ 06 Mar 2006 07:32 pm

Verified to not work on a WGR614v4 (kinda), with the SPI firewall enabled and irc on port 6667. Someone sent DCC SEND 0 0 0 repeatedly in an irc channel. I've tried sending the longer versions to myself, and that didn't do anything either. Does it have to be sent from the outside of the local network? in that case, the long version may still work

by coward @ 04 Mar 2006 10:29 pm

624 here. Verified to cause disconnects for just for IRC. I switched port, maybe it'll help.

by ZoFreX @ 04 Mar 2006 09:53 pm

No offence Cilian but your comments are way off, it isn't up to the router to open ports like that. It's most likely just some really badly written anti-trojan action like startkeylogger, we will probably be seeing a few more of these in future.

by Cillian @ 04 Mar 2006 09:35 pm

I'm guessing, what this does is tricks the router into thinking you're doing a DCC send on IRC, so it tries to open a port. And, if that port is invalid, it dies. This would explain how changing the port helps - it would stop the router thinking it's IRC

by StarCreator @ 04 Mar 2006 10:23 am

My WGR614v6 was affected, until at someone's suggestion to disable the SPI (Stateful Packet Inspection) firewall. Once I did that, poof, no more problems.

by Mark @ 04 Mar 2006 08:18 am

Yeah, for a workaround, if your IRC server allows it, connect to a port other than 6667. Connecting to port 8001 on Freenode stops the exploit.

by strat1x @ 04 Mar 2006 05:52 am

I have tested this and it does work on netgear and linksys modems. To not be vunlerable to this do not connect to port "6667" on IRC and you will be protected from getting owned.

by ingenio @ efnet @ 04 Mar 2006 05:45 am

It works on some Netgear and some Linksys as well. We aren't sure yet - but we're guessing it only works on routers running the vxworks operating system. Old linksys routers appear to be unaffected.. and they run linux. This would explain why it works on multiple products with multiple firmware versions. Again, it appears to be a problem in vxworks.

by evilDagmar @ 04 Mar 2006 05:20 am

It can also be fewer than 14 characters. Basically, you just have to make it so that the one or more of the four parameters at the end isn't sane and *b3Wm*

by viksit @ 04 Mar 2006 04:57 am

Yes, netgear is verified. WG624 to be precise.

by evilDagmar @ 04 Mar 2006 04:49 am

Appears to affect at least one version of the Linksys WRT54g as well. Funx0rs!

by ZoFreX @ 04 Mar 2006 04:25 am

Confirmed that DCC and SEND both need to be caps.

by d03boy @ 04 Mar 2006 04:25 am

I was playing with it and it is Netgear. I am affected by it... gg netgear

by ZoFreX @ 04 Mar 2006 04:19 am

ok just tested it:
DCC SEND 12345678901234 did not work
DCC SEND 123456789012345 did

by ZoFreX @ 04 Mar 2006 04:17 am

Works on Norton firewalls as well (provided they are out of date). Doesn't need the "" round what you send either.

by Your Mom @ 03 Mar 2006 09:22 pm

It seems DCC SEND followed by any 14 or more characters does the trick, so even "DCC SEND kfdsjkfklafjksdkfssjkfsjkl" works. Additionally DCC SEND needs to be in upper-case for it to work.

And can anyone for sure verify its Netgear? I had previously heard its Linksys..