Slashdot Mirror

← Back to Stories (view on slashdot.org)

Backdoor Found In UnrealIRCd Source Archive

Posted by timothy on from the channel-is-pwn3d dept.

l_bratch writes "A malicious backdoor was added to the UnrealIRCd source archive some time around November 2009. It was not noticed for several months, so many IRC servers are likely to be compromised. A Metasploit exploit already exists."

14 of 174 comments (clear)

  1. Only some versions affected by jaak · · Score: 2, Informative

    Slightly misleading summary. Only some versions on the mirrors were affected.

    From the UnreadIRCd forums:

    The Windows (SSL and non-ssl) versions are NOT affected.

    CVS is also not affected.

    3.2.8 and any earlier versions are not affected.

    Any Unreal3.2.8.1.tar.gz downloaded BEFORE November 10 2009 should be safe, but you should really double-check.

  2. Re:Remember, kids! by Stupendoussteve · · Score: 5, Informative

    Actually, the hash was not modified from when they posted the true source. Anybody who would have checked it would have recognized that something was wrong.

  3. Re:Open source by tsj5j · · Score: 5, Informative

    Read the original linked source. The source repositories were not compromised; rather, the mirror servers were. The mirror servers had the tarballs replaced with malicious code.

  4. Re:It's nice that they're honest. by Lobachevsky · · Score: 4, Informative

    Closed source software has similar problems with disgruntled employees. Only difference is that the company when finding the backdoor quietly fixes it and gags anyone from going to the media about it.

  5. Re:Windows safer than linux by Anonymous Coward · · Score: 1, Informative

    No, the Windows binaries were not affected. If you compiled them, they would have been affected.

  6. Comment removed by account_deleted · · Score: 4, Informative

    Comment removed based on user account deletion

  7. Re:Gentoo (Linux) not affected by miknix · · Score: 1, Informative

    Cool, you dont get to see this too often when windows version is safer than a linux one!

    Hehe..
    It also depends on the distributions. Gentoo Linux, for example, was not affected because the package maintainers at Gentoo digitally sign the source tarballs. In this case, the digest created by the Gentoo developer corresponds to the uninfected version. So, any Gentoo user trying to install UnrealIRCd from a infected mirror, would have a digest mismatch and the package manager would just refuse to install.
    See https://bugs.gentoo.org/show_bug.cgi?id=323691

    Of course it things could still go wrong if the UnrealIRCd maintainer at Gentoo digitally signed the infected tarball. But developers at Gentoo have a lot of experience, so I suppose most everyone checks the hash of tarballs after download. At least I do..

  8. Re:It's nice that they're honest. by Anonymous Coward · · Score: 1, Informative

    There is no need to audit the entire source, because the CVS wasn't affected. It is actually quite clever to put the backdoor only into release tar balls, because the "many eyeballs" that open source is famous for typically only look at the original source, i.e. the main repository.

  9. Re:Gentoo (Linux) not affected by Anonymous Coward · · Score: 2, Informative

    You're wrong, read comment #8. The ebuild manifest was created using the infected version. Package maintainers are suppose to verify the source tarballs before making an ebuild which creates RIPEMD-160, SHA-1 and SHA-256 checksums. Gentoo wasn't any safer in this instance due to maintainer failure.

  10. Re:Well yes... by bstreiff · · Score: 2, Informative

    Also of interest: Linux's CAP_NET_BIND_SERVICE capabilities flag, which would allow giving a process the ability to attach to lower-than-1024 ports without giving it full root.

  11. Re:Remember, kids! by Hatta · · Score: 2, Informative

    That's why it's important to have GPG signed packages from your distribution. It's a shame Unreal isn't available through Debian.

    --
    Give me Classic Slashdot or give me death!
  12. Re:It's nice that they're honest. by Zigurd · · Score: 4, Informative

    The parent post here found the key fact: If you check article, in fact it confirms the back door was NOT in the source code. Someone replaced some mirrors, and due to lack of a signature, got away with it for a long time.

    This event does not repudiate the protections of having source code available to inspect, and having project governance that reviews code. It does suggest people should be careful about which mirrors they use and how signatures are checked.

    --
    I wrote parts of this stuff
  13. Re:It's nice that they're honest. by GofG · · Score: 2, Informative

    The code was not compromised. Someone swapped one of the .tar.gz's with their own, but the cvs (source) was intact. This is one of the rare situations in which being open source did nothing to help security, but the exact same thing could have happened to a proprietary application.

    --
    GFA/M/S d-- s: a--- C++++ UBL++$ P+ L+++ !E- W++ N+ !o K- w--- !O !M !V PS++ PE Y+ PGP+ t+++ 5- X+ R tv@ b++ DI++++ D+ G
  14. Re:Well by X0563511 · · Score: 2, Informative

    I KNOW.

    Please read what I wrote.

    Hash a large file. Time is spent. Cryptographically sign a file, more time is spent.

    Instead, you sign the hash, and spend -less- time computing the signature. If the signature is true, then the hash is true, and by extension the large file is true.

    --
    For large sets, this will be our guide even unto death, for the LORD will work for each type of data it is applied to...