Subject Trojan Horse in IRC Client for UNIX Date 21-Oct-94
4631bdd24d59b12f018c9278c769b73b994a027929c396361ed552b01e879940
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
===============================================================================
>> CERT-NL, 01-Mar-2000 <<
>> All CERT-NL information has been moved to http://cert.surfnet.nl. Links <<
>> to CERT-NL information contained in this advisory are therefore outdated. <<
>> <<
>> CERT-NL also has stopped the CERT-CC-Mirror service. Due to this the <<
>> links to the CERT-CC mirror are obsolete. Visit the CERT-CC site for the <<
>> complete CERT-CC advisory texts: http://www.cert.org <<
===============================================================================
===============================================================================
Security Advisory CERT-NL
===============================================================================
Author/Source : CERT-NL (Erik-Jan Bos) Index : S-94-21
Distribution : World Page : 1
Classification: External Version: Final
Subject : Trojan Horse in IRC Client for UNIX Date : 21-Oct-94
===============================================================================
CERT-NL has learned of a Trojan horse in some copies of ircII version
2.2.9, the source code for the Internet Relay Chat (IRC) client for
UNIX systems. Reports we have received thus far indicate that the
corrupt code was available as early as May 1994. The Trojan horse
provides a back door through which intruders can gain unauthorized
access to accounts of IRC users. Intruders are actively exploiting
this back door. If you obtained ircII 2.2.9 from any site in May or
later, you may be vulnerable.
Because it is unknown how far the corrupt version of the IRC client has
propagated and because intruders may have corrupted other versions, the
CERT-NL recommends obtaining and installing ircII version 2.6.
Because no special privileges are needed to install and run the IRC
source code, any user on your system may have installed the corrupt
code. Thus, we also recommend that you inform your users of this
potential problem and its solution.
As we receive additional information relating to this advisory, we will
place it, along with any clarifications, in an APPENDIX file with the
same index number as this Security Advisory. CERT-NL advisories and
their associated APPENDIX files are available by anonymous FTP from
ftp.nic.surfnet.nl (see footer of this message). We encourage you to
check the APPENDIX files regularly for updates on advisories that
relate to your site.
- -----------------------------------------------------------------------------
I. Description
A Trojan horse was found in some copies of the source code for
the Internet Relay Chat client for UNIX systems, ircII version
2.2.9. Intruders are actively exploiting this Trojan horse.
The Trojan horse creates a back door and enables intruders to
gain unauthorized access to accounts of IRC users. If IRC is run
from a system account, such as root or bin, the Trojan horse
enables intruders to gain unauthorized access to the system
account. In addition, because it is possible to compile,
install, and run IRC source code without special privileges, any
user on your system may have installed corrupt code.
The source code containing the Trojan horse was available from
many FTP sites as early as May 1994 (at this time, we do not have
a specific date).
II. Impact
Remote users can gain unauthorized access to any account running
the IRC client, including a system account if it is running IRC.
III. Solution
If you want to try to determine whether your copy of ircII
contains the Trojan horse, perform a search on the IRC client to
find the strings JUPE or GROK. For example,
% strings /usr/local/bin/irc | egrep 'JUPE|GROK'
If the strings JUPE or GROK are present in the IRC client, your
source code may contain the Trojan horse. Keep in mind, however,
that back doors can easily be changed to respond to other words,
so you may be vulnerable even if you do not find JUPE or GROK.
Thus, even if you believe that your IRC source code is clean, we
urge you to install ircII version 2.6, the most recent version of
IRC. Also, the maintainer of the code reports that version 2.6
contains many bug fixes and extra portability.
IRC source code is available by anonymous FTP from many locations,
including the following:
sungear.mame.mu.oz.au:/pub/irc
alpha.gnu.ai.mit.edu:/ircII
ftp.funet.fi:/pub/unix/irc/ircII
coombs.anu.edu.au:/pub/irc/ircii
File Size MD5 Checksum
-------- ------ -----------------------------
ircii-2.6.tar.gz 366361 3FC5FBD18CB3E6C071F51FD8C6C59017
ircii-2.6help.tar.gz 111733 D9D535B7A06BED2A2EA6676B20BDA481
ircii-2.5to2.6-diff 19644 0C05C96B10CB87186BD921536AE3FDF2
IV. Informing Users
Because users may have installed IRC source code on their own, we
recommend informing all your users about the Trojan horse and the
new version of IRC.
In addition, you may want to find any user-installed copies of IRC
that may be vulnerable. If so, you could use the find command to
locate these binaries. As an example, the following command will
enable you to find all files named "irc" in a subdirectory of
/usr/users:
% find /usr/users -name irc -type f -print
- ---------------------------------------------------------------------------
The CERT Coordination Center wishes to thank Matthew Green for his
assistance with this advisory.
- ---------------------------------------------------------------------------
CERT-NL wishes to thank The CERT Coordination Center for making this
information available.
==============================================================================
CERT-NL is the Computer Emergency Response Team for SURFnet customers. SURFnet
is the Dutch network for educational, research and related institutes. CERT-NL
is a member of the Forum of Incident Response and Security Teams (FIRST).
All CERT-NL material is available under:
http://cert.surfnet.nl/
In case of computer or network security problems please contact your local
CERT/security-team or CERT-NL (if your institute is NOT a SURFnet customer
please address the appropriate (local) CERT/security-team).
CERT-NL is one/two hour(s) ahead of UTC (GMT) in winter/summer,
i.e. UTC+0100 in winter and UTC+0200 in summer (DST).
Email: cert-nl@surfnet.nl ATTENDED REGULARLY ALL DAYS
Phone: +31 302 305 305 BUSINESS HOURS ONLY
Fax: +31 302 305 329 BUSINESS HOURS ONLY
Snailmail: SURFnet bv
Attn. CERT-NL
P.O. Box 19035
NL - 3501 DA UTRECHT
The Netherlands
NOODGEVALLEN: 06 22 92 35 64 ALTIJD BEREIKBAAR
EMERGENCIES : +31 6 22 92 35 64 ATTENDED AT ALL TIMES
CERT-NL'S EMERGENCY PHONENUMBER IS ONLY TO BE USED IN CASE OF EMERGENCIES:
THE SURFNET HELPDESK OPERATING THE EMERGENCY NUMBER HAS A *FIXED*
PROCEDURE FOR DEALING WITH YOUR ALERT AND WILL IN REGULAR CASES RELAY IT
TO CERT-NL IN AN APPROPRIATE MANNER. CERT-NL WILL THEN CONTACT YOU.
===============================================================================
-----BEGIN PGP SIGNATURE-----
Version: PGP 6.5.1i
iQA/AwUBOL6WGTSYjBqwfc9jEQJENwCgzl7sS/t17dtUUh6WkfoVQc3LyvcAn2nB
6zP2vr7w4liAyCrbwr4O6Xdo
=dTjR
-----END PGP SIGNATURE-----