Nmap Development mailing list archives
Always practice safe software: a lesson from UnrealIRCd
From: Fyodor <fyodor () insecure org>
Date: Sat, 12 Jun 2010 17:24:09 -0700
The UnrealIRCd team just made an interesting vulnerability announcement: http://seclists.org/fulldisclosure/2010/Jun/277 It seems that the Unreal has been trojaned since last November on at least some of its official mirror sites. The backdoor is very simple and allows anyone to run arbitrary system commands pre-auth. I've already seen one group hit by this. Interestingly, the Unreal team had apparently stopped GPG/PGP signing releases because they didn't think it was worth the trouble given how few people were verifying the signatures. Oops! They are now planning to re-implement that feature. Nmap has been signing its releases for many years, and we encourage people to verify the signatures as described here: http://nmap.org/book/install.html#inst-integrity I'm the only one who has that signing key, and it is stored locally on one of my home machines rather than on a production server. So even if someone hacks the web site, they can't generate bogus signatures. Of course you need to be sure you have the right key the first time you add it to your keychain, and not just trust the fingerprint given on that web site, which could be hacked. The real fingerprint is on page 27 of the Nmap book (http://nmap.org/book/). Of course you can also use the PGP web of trust (the Nmap signing key is signed by my key which is signed by various trusted people). For those interested in how the Unreal backdoor worked, here is the diff: http://seclists.org/fulldisclosure/2010/Jun/284 I'm not trying to attack or insult the UnrealIRCd team--we all make mistakes. I just hope their unfortunate situation (which has happened to many other projects in the past) helps encourage people to practice safer software. Also, I think this calls out for an NSE script to detect the backdoor! Any volunteers? It is a really simple backdoor, and a script would allow people to quickly scan their networks for vulnerable servers. Maybe we should have a general backdoor detection script which can start out with just Unreal but can be later extended to handle other backdoors/trojans. Cheers, Fyodor _______________________________________________ Sent through the nmap-dev mailing list http://cgi.insecure.org/mailman/listinfo/nmap-dev Archived at http://seclists.org/nmap-dev/
Current thread:
- Always practice safe software: a lesson from UnrealIRCd Fyodor (Jun 12)
- Re: Always practice safe software: a lesson from UnrealIRCd Gutek (Jun 13)
- Re: Always practice safe software: a lesson from UnrealIRCd Vlatko Kosturjak (Jun 13)
- Re: Always practice safe software: a lesson from UnrealIRCd Gutek (Jun 13)
- Re: Always practice safe software: a lesson from UnrealIRCd Ron (Jun 13)
- Re: Always practice safe software: a lesson from UnrealIRCd Ron (Jun 13)
- Re: Always practice safe software: a lesson from UnrealIRCd Ron (Jun 13)
- Re: Always practice safe software: a lesson from UnrealIRCd Fyodor (Jun 13)
- Re: Always practice safe software: a lesson from UnrealIRCd Vlatko Kosturjak (Jun 13)
- Re: Always practice safe software: a lesson from UnrealIRCd Ron (Jun 14)
- Re: Always practice safe software: a lesson from UnrealIRCd Gutek (Jun 14)