UnrealIRCd 3.2.8.1 backdoored on official ftp and site

2010.06.16
Credit: Henri Salo
Risk: High
Local: No
Remote: Yes
CWE: CWE-20


CVSS Base Score: 7.5/10
Impact Subscore: 6.4/10
Exploitability Subscore: 10/10
Exploit range: Remote
Attack complexity: Low
Authentication: No required
Confidentiality impact: Partial
Integrity impact: Partial
Availability impact: Partial

We found out that the Unreal3.2.8.1.tar.gz file on our mirrors has been replaced quite a while ago with a version with a backdoor (trojan) in it. This backdoor allows a person to execute ANY command with the privileges of the user running the ircd. The backdoor can be executed regardless of any user restrictions (so even if you have passworded server or hub that doesn't allow any users in). It appears the replacement of the .tar.gz occurred in November 2009 (at least on some mirrors). It seems nobody noticed it until now. Obviously, this is a very serious issue, and we're taking precautions so this will never happen again, and if it somehow does that it will be noticed quickly. We will also re-implement PGP/GPG signing of releases. Even though in practice (very) few people verify files, it will still be useful for those people who do. Safe versions ============== Official precompiled Windows binaries (SSL and non-ssl) are NOT affected. CVS is also not affected. 3.2.8 and any earlier versions are not affected. Any Unreal3.2.8.1.tar.gz downloaded BEFORE November 10 2009 should be safe, but you should really double-check, see next. How to check if you're running the backdoored version ====================================================== Two ways: One is to check if the Unreal3.2.8.1.tar.gz you have is good or bad by running 'md5sum Unreal3.2.8.1.tar.gz' on it. Backdoored version (BAD) is: 752e46f2d873c1679fa99de3f52a274d Official version (GOOD) is: 7b741e94e867c0a7370553fd01506c66 The other way is to run this command in your Unreal3.2 directory: grep DEBUG3_DOLOG_SYSTEM include/struct.h If it outputs two lines, then you're running the backdoored/trojanized version. If it outputs nothing, then you're safe and there's nothing to do. What to do if you're running the backdoored version ==================================================== Obviously, you only need to do this if you checked you are indeed running the backdoored version, as mentioned above. Otherwise there's no point in continuing, as the version on our website is (now back) the good one from April 13 2009 and nothing 'new'. Solution: * Re-download from http://www.unrealircd.com/ * Verify MD5 (or SHA1) checksums, see next section (!) * Recompile and restart UnrealIRCd The backdoor is in the core, it is not possible to 'clean' UnrealIRCd without a restart or through a module. How to verify that the release is the official version ======================================================= You can check by running 'md5sum Unreal3.2.8.1.tar.gz', it should output: 7b741e94e867c0a7370553fd01506c66 Unreal3.2.8.1.tar.gz For reference, here are the md5sums for ALL proper files: 7b741e94e867c0a7370553fd01506c66 Unreal3.2.8.1.tar.gz 5a6941385cd04f19d9f4241e5c912d18 Unreal3.2.8.1.exe a54eafa6861b6219f4f28451450cdbd3 Unreal3.2.8.1-SSL.exe These are the EXACT same MD5sums as mentioned on April 13 2009 in the initial 3.2.8.1 announcement to the unreal-notify and unreal-users mailing list. <http://sourceforge.net/mailarchive/forum.php?thread_name=49E341E0.3000702%40vulnscan.org&forum_name=unreal-notify> Finally ======== Again, I would like to apologize about this security breach. We simply did not notice, but should have. We did not check the files on all mirrors regularly, but should have. We did not sign releases through PGP/GPG, but should have done so. This advisory (and updates to it, if any) is posted to: http://www.unrealircd.com/txt/unrealsecadvisory.20100612.txt Hope you'll all continue to support UnrealIRCd.

References:

http://www.vupen.com/english/advisories/2010/1437
http://www.unrealircd.com/txt/unrealsecadvisory.20100612.txt
http://www.securityfocus.com/bid/40820
http://www.openwall.com/lists/oss-security/2010/06/14/11
http://security.gentoo.org/glsa/glsa-201006-21.xml
http://secunia.com/advisories/40169
http://seclists.org/fulldisclosure/2010/Jun/284
http://seclists.org/fulldisclosure/2010/Jun/277
http://osvdb.org/65445


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2024, cxsecurity.com

 

Back to Top