oss-sec mailing list archives

Re: CVE request: UnrealIRCd 3.2.8.1 source code contained a backdoor allowing for remote command execution

From: Eugene Teo <eugeneteo () kernel sg>
Date: Tue, 15 Jun 2010 08:07:31 +0800

On 06/13/2010 01:10 AM, Alex Legler wrote:

Hi.

Quoting http://www.unrealircd.com/txt/unrealsecadvisory.20100612.txt:

"We found out that the Unreal3.2.8.1.tar.gz file on our mirrors has been
replaced quite a while ago with a version with a backdoor (trojan) in
it. This backdoor allows a person to execute ANY command with the
privileges of the user running the ircd. The backdoor can be executed
regardless of any user restrictions (so even if you have passworded
server or hub that doesn't allow any users in)."

Basically, a system() call was injected into the source code, disguised
as a debug/log macro.


Also see, http://seclists.org/dailydave/2010/q2/56

Eugene
--
main(i) { putchar(182623909 >> (i-1) * 5&31|!!(i<7)<<6) && main(++i); }

Current thread:

CVE request: UnrealIRCd 3.2.8.1 source code contained a backdoor allowing for remote command execution Alex Legler (Jun 12)
- Re: CVE request: UnrealIRCd 3.2.8.1 source code contained a backdoor allowing for remote command execution Alex Legler (Jun 14)
  - Re: CVE request: UnrealIRCd 3.2.8.1 source code contained a backdoor allowing for remote command execution Josh Bressers (Jun 14)
    - Re: CVE request: UnrealIRCd 3.2.8.1 source code contained a backdoor allowing for remote command execution Steven M. Christey (Jun 14)
- Re: CVE request: UnrealIRCd 3.2.8.1 source code contained a backdoor allowing for remote command execution Josh Bressers (Jun 14)
- Re: CVE request: UnrealIRCd 3.2.8.1 source code contained a backdoor allowing for remote command execution Eugene Teo (Jun 14)