Copy Link
Add to Bookmark
Report

CERT Advisory 086

eZine's profile picture
Published in 
CERT Advisory
 · 4 years ago

  


-----BEGIN PGP SIGNED MESSAGE-----

=============================================================================
CERT(sm) Advisory CA-94:14
Original issue date: October 19, 1994
Last revised: August 30, 1996
Information previously in the README was inserted
into the advisory.

A complete revision history is at the end of this file.

Topic: Trojan Horse in IRC Client for UNIX
- -----------------------------------------------------------------------------

The CERT Coordination Center has learned of a Trojan horse in some copies of
ircII version 2.2.9, the source code for the Internet Relay Chat (IRC) client
for UNIX systems. Reports we have received thus far indicate that the corrupt
code was available as early as May 1994. The Trojan horse provides a back door
through which intruders can gain unauthorized access to accounts of IRC users.
Intruders are actively exploiting this back door. If you obtained ircII 2.2.9
from any site in May or later, you may be vulnerable.

Because it is unknown how far the corrupt version of the IRC client has
propagated and because intruders may have corrupted other versions, the CERT
staff recommends obtaining and installing ircII version 2.6.

Because no special privileges are needed to install and run the IRC source
code, any user on your system may have installed the corrupt code. Thus, we
also recommend that you inform your users of this potential problem and its
solution.

We will update this advisory as we receive additional information.
Please check advisory files regularly for updates that relate to your site.

- -----------------------------------------------------------------------------

I. Description

A Trojan horse was found in some copies of the source code for
the Internet Relay Chat client for UNIX systems, ircII version
2.2.9. Intruders are actively exploiting this Trojan horse.

The Trojan horse creates a back door and enables intruders to
gain unauthorized access to accounts of IRC users. If IRC is run
from a system account, such as root or bin, the Trojan horse
enables intruders to gain unauthorized access to the system
account. In addition, because it is possible to compile,
install, and run IRC source code without special privileges, any
user on your system may have installed corrupt code.

The source code containing the Trojan horse was available from
many FTP sites as early as May 1994 (at this time, we do not have
a specific date).

II. Impact

Remote users can gain unauthorized access to any account running
the IRC client, including a system account if it is running IRC.

III. Solution

If you want to try to determine whether your copy of ircII contains the
Trojan horse, perform a search on the IRC client to find the strings JUPE
or GROK. For example,

% strings /usr/local/bin/irc | grep 'JUPE|GROK'

% strings /usr/local/bin/irc | egrep 'JUPE|GROK'

If the strings JUPE or GROK are present in the IRC client, your source
code may contain the Trojan horse. Keep in mind, however, that back doors
can easily be changed to respond to other words, so you may be vulnerable
even if you do not find JUPE or GROK.

Thus, even if you believe that your IRC source code is clean, we urge you
to install ircII version 2.6, the most recent version of IRC. Also,
the maintainer of the code reports that version 2.6 contains many bug
fixes and extra portability.

IRC source code is available by anonymous FTP from many locations,
including the following:

sungear.mame.mu.oz.au:/pub/irc
alpha.gnu.ai.mit.edu:/ircII
ftp.funet.fi:/pub/unix/irc/ircII
coombs.anu.edu.au:/pub/irc/ircii

File Size MD5 Checksum
-------- ------ -----------------------------
ircii-2.6.tar.gz 366361 3FC5FBD18CB3E6C071F51FD8C6C59017
ircii-2.6help.tar.gz 111733 D9D535B7A06BED2A2EA6676B20BDA481
ircii-2.5to2.6-diff 19644 0C05C96B10CB87186BD921536AE3FDF2


As of Feb. 2, 1995, an ircii2.6-sco-patch is available:

File Size MD5 Checksum
-------- ------ -----------------------------
ircii-2.6.tar.gz 366361 3FC5FBD18CB3E6C071F51FD8C6C59017
ircii-2.6help.tar.gz 111733 D9D535B7A06BED2A2EA6676B20BDA481
ircii-2.5to2.6-diff 19644 0C05C96B10CB87186BD921536AE3FDF2
ircii-2.6-sco-patch 65143 45161113B0E435FB993CE00436A819A1

IV. Informing Users

Because users may have installed IRC source code on their own, we
recommend informing all your users about the Trojan horse and the new
version of IRC.

In addition, you may want to find any user-installed copies of IRC that
may be vulnerable. If so, you could use the find command to locate these
binaries. As an example, the following command will enable you to find
all files named "irc" in a subdirectory of /usr/users:

% find /usr/users -name irc -type f -print

- ---------------------------------------------------------------------------
The CERT Coordination Center wishes to thank Matthew Green for his
assistance with this advisory.
- ---------------------------------------------------------------------------

If you believe that your system has been compromised, contact the CERT
Coordination Center or your representative in Forum of Incident
Response and Security Teams (FIRST).

If you wish to send sensitive incident or vulnerability information to
CERT via electronic mail, CERT strongly advises that the e-mail be
encrypted. CERT can support a shared DES key, PGP (public key
available via anonymous FTP on info.cert.org), or PEM (contact CERT
for details).

Internet E-mail: cert@cert.org
Telephone: 412-268-7090 (24-hour hotline)
CERT personnel answer 8:30 a.m.-5:00 p.m. EST(GMT-5)/EDT(GMT-4),
and are on call for emergencies during other hours.

CERT Coordination Center
Software Engineering Institute
Carnegie Mellon University
Pittsburgh, PA 15213-3890
USA

Past advisories, information about FIRST representatives, and other
information related to computer security are available for anonymous
FTP from info.cert.org.

Copyright 1994, 1995, 1996 Carnegie Mellon University
This material may be reproduced and distributed without permission provided
it is used for noncommercial purposes and the copyright statement is
included.

CERT is a service mark of Carnegie Mellon University.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Revision history

Aug. 30, 1996 Information previously in the README was inserted
into the advisory.
Feb. 02, 1995 Sec. III - Added filenames and checksums for ircii2.6-sco-patch.
Oct. 20, 1994 Sec. III - Added example command using egrep.
Included alhpa.gnu.ai.mit.edu as a source of ircII.



-----BEGIN PGP SIGNATURE-----
Version: 2.6.2

iQCVAwUBMiSqJnVP+x0t4w7BAQE5nwQA0bWc2T9Lqopgc9UCKpuClcVGvFONc7F5
b/ptaHGcW+yobmpXZCWPR8nBN4+KVCiP4fSH8XaI8yMO0aDHdhtg3sFA/yfNoSCu
+6IMCY2UcSXQkiiyHT165MOr+IqsRh0HOuaJm3Cvbjkyvjb0cG5R30Rczoo6GULa
T1amleszZ44=
=T+8z
-----END PGP SIGNATURE-----

← previous
next →
loading
sending ...
New to Neperos ? Sign Up for free
download Neperos App from Google Play
install Neperos as PWA

Let's discover also

Recent Articles

Recent Comments

Neperos cookies
This website uses cookies to store your preferences and improve the service. Cookies authorization will allow me and / or my partners to process personal data such as browsing behaviour.

By pressing OK you agree to the Terms of Service and acknowledge the Privacy Policy

By pressing REJECT you will be able to continue to use Neperos (like read articles or write comments) but some important cookies will not be set. This may affect certain features and functions of the platform.
OK
REJECT