The discovery and announcement
of a backdoor in UnrealIRCd is
embarrassing for the project, and is certainly a real live security
vulnerability. But it is hardly the "proof" that Linux is insecure, or
than some other (proprietary) OS, as some pundits
would have it. The problem is not Linux-specific, nor is it a problem with
free software development, it is, instead, something that could
happen—has happened—to any software project.
UnrealIRCd is, as its name implies, an Internet Relay Chat (IRC) server.
It runs on most platforms, and has added a number of features that some
folks find useful in an IRC server. It is not related to the Unreal first-person shooter
game as some reported, it is simply a server that can be run to host IRC
channels for a wide variety of purposes.
From what the project can tell, around November 10, 2009 the mirrors of the
source distribution of version 220.127.116.11 of UnrealIRCd were replaced with a
version that contained a backdoor. That backdoor could be used by an
attacker to run any command on a system running the compromised server.
That command would, obviously, run with the privileges of the user that
executed the server. It took until June 12 for this swap to be noticed, so
anyone who picked up a copy of the code in that seven month period may be
was disguised to look like a debug statement in the code:
if (!memcmp(readbuf, DEBUGMODE3_INFO, 2))
eventually resolves to a call to system()
is just the string "AB". Thus commands sent
to the server that start with "AB" will be handed off directly to
. Not a particularly sophisticated backdoor, but an
effective one nevertheless. As the advisory points out, even servers that
are set up to require passwords from users, or even not allow any users at
all, are still vulnerable because they still take input.
The official Windows binaries were not affected by the backdoor, but there
is no reason that they couldn't have been. The problem is that the project
didn't provide any means for verifying the integrity of downloads. That
allowed the switch to be made and remain undetected for so long. Since
then, the project has started signing its
code with GPG keys.
The affected code did make it into Gentoo, which issued an update on the
14th. But the fact that "Linux" was "backdoored" brought out the usual
suspects among web pundits eager to declare that it was a watershed moment
for Linux security. While it certainly was a black eye for UnrealIRCd, it
clearly wasn't one for Linux as a whole. First off, UnrealIRCd is
installed on very few Linux systems—it can hardly be considered a
core Linux program—and even those where it is installed
are likely to be running it as a separate user (e.g. ircd) with
fairly low privileges.
But, even users with low privileges often have enough to be useful to
attackers. One could imagine spammers and botnet herders finding ways to
use the network capabilities of a basic Linux user account. The storage on
the system might be useful as well. Unless the user is running the server
as root, no direct system compromise should be possible, though it
is important to note that a local privilege escalation in the kernel
could be used to take the system over.
One of the more laughable claims about the flaw was Ed Bott's declaration
that Windows virus scanners would have detected the problem had it impacted
those binaries. Bott must be under the impression that virus scanners
somehow magically recognize backdoors in executable code. The truth, of
course, is much more prosaic: some human finds the malware and updates the
signatures that the virus scanners use. Unless this exact vulnerability
had already been injected into other Windows binaries—and thus a
signature created—no virus scanner would pick it up.
There are certainly lessons to be learned here—integrity checking is
important for one—but not those that many of the Windows-centric
columnists are pushing. Windows is no more (or less) vulnerable than Linux
kinds of attacks; when attackers can control the code that you run, it is
"game over" no matter what OS you run. It is possible that
SELinux, TOMOYO, or AppArmor could mitigate this kind of attack to some
extent, but it is somewhat unlikely that anyone has (yet) tackled
configuring any of those for a fairly obscure IRC server.
It is another reminder that we need to be more vigilant about protecting
our code distribution networks. It may be somewhat less common these
days—many folks get their new software from distribution
repositories—but grabbing a tarball, untarring, and typing:
./configure; make; make install
is a longstanding tradition in the open source world. In order to continue
that, it would be very helpful to automatically check signatures when
downloading, but the mechanism for doing so is, as yet, unclear. For now, though,
checking signatures manually, and
being very leery of unsigned code, is the prudent course.
to post comments)