Backdoor Found In UnrealIRCd Source Archive

l_bratch writes "A malicious backdoor was added to the UnrealIRCd source archive some time around November 2009. It was not noticed for several months, so many IRC servers are likely to be compromised. A Metasploit exploit already exists."

It's nice that they're honest.

[allaunjsilverfox2]

This is the kind of behavior that I like to see when someone screws up. Don't be secretive. Don't try to deny it happened. Fess up and make sure people know. *applauds*

Re:It's nice that they're honest.

[Abcd1234]

Well, unless you're Google, in which case you're raked over the coals and accused of being at the right hand of the devil himself...

Re:It's nice that they're honest.

[davester666]

It could be worse... You could be the guy at Microsoft that was ordered to write this exploit and then insert it into the codebase without getting caught.

Re:It's nice that they're honest.

[Lobachevsky]

Closed source software has similar problems with disgruntled employees. Only difference is that the company when finding the backdoor quietly fixes it and gags anyone from going to the media about it.

Re:It's nice that they're honest.

[Vahokif]

It's still an embarrassment for open source though. In theory this sort of stuff shouldn't happen because "everyone can see the source", and if it does, it shouldn't take seven months to fix.

Re:It's nice that they're honest.

Yes, because a single trojan in a server that:

1) no one uses (not a single user checked the hash of the download over seven months),

The hashes most probably _where_ checked by peopel, however they've been changed to reflect the backdoored .tar.gz on the website.

This is from the horses mouth a.k.a. Syzop:

[12:30:04] well the main site got hacked huh, so the md5sum on the website was reflecting the trojanized version
[12:30:18] but nobody checked the md5sum against the one mentioned in the announcement

Re:It's nice that they're honest.

[Runaway1956]

Embarassing, in that, "Yes we screwed up, and we shouldn't have." or embarassing as in, "Oh shit, open source really isn't any better than security through obfuscation!"?

If you mean the first, I'm with you. We all screw up - and sometimes we need a reminder that we can't duck, or blame on someone else to keep us on our toes.

If you mean the second, well, I call bullshit. Several people have already pointed out that closed source shops are frequently the victims of malware. You can find a half dozen gadgets or softwares that have been SHIPPED FROM THE FACTORY with malware of some kind, just in the last year.

Personally, I really prefer the situation at Unreal. It's open source. Everyone who gives a small damn had the opportunity to check it out. Anyone could have run any number of monitoring tools on the software, and caught it doing it's thing. When it was found, the administrators made an announcement. I like honesty and open communications.

It's a helluva lot better than, for example, a closed source shop pushing an update to your telephone which opens your communications up to government monitoring. The only way THAT was discovered, was the relatively dramatic decrease in battery life immediately after the update was pushed.

To each his own though. Those who put their faith in corporate masters are welcome to buy only proprietary stuff. I'll go with open source whenever possible!!

Re:It's nice that they're honest.

[jibjibjib]

Maybe (in fact, almost certainly) Google wanted to capture every packet, measure its signal strength and collect statistics to get more detailed maps of wireless networks than what a simple "3 lines" script would provide. Why would you discount that as not being "credible", but instead accept the even more incredible possibility that (despite until now being a legitimate business) they're involved in some sort of international conspiracy to illegally use random people's private wi-fi data?

A common way of mapping wireless networks is using software like Kismet, which is in fact what Google used, and which in its default configuration saves all packets received. If you claim it must be true that "some evil is involved" because they used standard widely used software rather than your 3-line script, you don't know what you're talking about.

Re:It's nice that they're honest.

[Narcocide]

Seriously, that's what you call unchecked paranoia. Nobody is ordering Microsoft grunts to sabotage open source software. They do that in their free time for fun.

Re:It's nice that they're honest.

[indeterminator]

It's still an embarrassment for open source though.

Talk about generalisation. One project getting rooted isn't representative to the rest of them in any way. Also, FTFA:

CVS is also not affected.

This was a case of distribution packages on their mirror site being replaced with malicious version, not a breakage of the development process. It's also something that happens all the time with closed source SW too, which is why you don't want to download installers from suspicious sites.

Re:It's nice that they're honest.

[keeboo]

3) was not included in the Debain repos, despite there being a willing maintainer, because of poor code quality- see http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=515130

The lack or presence of a software in Debian does not mean anything about its quality.
Unfortunately there are are people, among the Debian devel, who are more political assholes than proper developers.

An example of utter garbage present in Debian is pdns (the software itself collapses after running for few hours, even minutes, depending on your load). Yet, each new Debian release contains a new version of that software. -- And that's not the only case.

Re:It's nice that they're honest.

[Kjella]

Embarassing (sic), in that, "Yes we screwed up, and we shouldn't have." or embarassing (sic) as in, "Oh shit, open source really isn't any better than security through obfuscation!"?

Well the old "many eyes" argument is getting embarrassing when it's obvious that all the eyes are on the front door while the window is wide open. As usual, it was not the VCS that was compromised, because many people at least casually look at commits, often it has to pass through a mailing list and often getting commit access is hard. Becoming a rouge committer is high risk/low yield, same with hacking a committer's computer. Hacking the VCS server would probably lead to the code changes showing up in diffs so that's not very subtle either.

But then there's the downstream and binary builds. A few packagers, mirror maintainers and distro maintainers might look at these but hardly anybody else. A good example is the Debian OpenSSL fiasco a few years back. There's this one, that got caught. How many of these go unnoticed? How many really checks that nothing bad happened between the upstream VCS and the binary running on my server? How many makes sure the source and binary posted really match and compile to the same MD5 and won't just disregard it as different compiler versions and flags? Extremely few. Like in this case, it was no good checking the MD5 because it was also compromised...

Re:It's nice that they're honest.

[drinkypoo]

You're in the wrong article. The one about autism is a few further down the front page. In this one, you're supposed to have a sense of humour or, if you're American, a sense of humor.

That's it, I'm headed to the autism article to make a joke. Wapner, here I come!

Re:It's nice that they're honest.

[Zigurd]

The parent post here found the key fact: If you check article, in fact it confirms the back door was NOT in the source code. Someone replaced some mirrors, and due to lack of a signature, got away with it for a long time.

This event does not repudiate the protections of having source code available to inspect, and having project governance that reviews code. It does suggest people should be careful about which mirrors they use and how signatures are checked.

Re:It's nice that they're honest.

[GofG]

The code was not compromised. Someone swapped one of the .tar.gz's with their own, but the cvs (source) was intact. This is one of the rare situations in which being open source did nothing to help security, but the exact same thing could have happened to a proprietary application.

Re:It's nice that they're honest.

[HiThere]

Who's been claiming that things like this couldn't happen?

This is the reason that both deb's and rpm's went to signing all packages, and the reason that best practice requires that signatures not be hosted on the same server as the binaries. (OTOH, I've got to admit that these "best practices" aren't always followed. And I'm currently trusting a package from one site that doesn't sign it's debs with a signature I'm willing to trust. But if I were conscientious I wouldn't use that package.)

So, yeah, this is the kind of thing that "best practices" are intended to prevent, and we don't always follow the best practices, because they are less convenient. But if we care, we can tell whether best practices are being followed.

Now tarballs are a different kind of beast. Perhaps Slackware has some way to deal with the problem of tarball authentication that I don't know of. But lacking that I always feel that using a tarball is taking a risk. And that one should have one's eyes open to that problem. With a tarball you don't know who you're trusting. If you use hashcode verification stored on the same server as the tarball, then the hashcode doesn't prove anything. (For that reason Python always posts both the MD5 and the pgp key on their website [A separate server from their download server]. This is, at least close to, best practices for tarballs.)

Re:It's nice that they're honest.

[HiThere]

The GPG check can also fail if they just get you to add their private key into you list of trusted keys. This is a point that has occasionally bothered me. There doesn't seem to be any decent way to authenticate that the key you're being asked to add is one that should be trusted. Web of trust was a decent approach, but it didn't scale. It demanded personal meetings and the new person being vouched for by the old one. When it got expanded onto the web, the process got broken.

Someone needs to start thinking seriously about this. Someone with decent knowledge of security, and a knowledge of FOSS procedures. And someone friendly to FOSS. And with decent political connections within the community.

Re:It's nice that they're honest.

[GofG]

None of the software I use comes from tarballs either; I get it all from trusted repositories. That particular method is only one step down on the security level from inspecting all of the source of all of the applications you use personally. All of the software I use is open source and very secure; what do I have to worry about? It doesn't have anything to do with the open-source status of the software, it has to do with the distribution method. There are safe and unsafe distribution methods; downloading software from a sketchy mirror is dangerous regardless of the openness or closedness of the source. Downloading from a trusted website (such as ftp.archlinux.fr or cnet.com) is relatively safe, whether you're doing so through your package manage or your browser, whether the software is open or closed source. This incident can do nothing to hurt the reputation of the security of open-source software in the debate vs closed-source software as they both suffer from this security flaw.

Only some versions affected

[jaak]

Slightly misleading summary. Only some versions on the mirrors were affected.

From the UnreadIRCd forums:

The Windows (SSL and non-ssl) versions are NOT affected.

CVS is also not affected.

3.2.8 and any earlier versions are not affected.

Any Unreal3.2.8.1.tar.gz downloaded BEFORE November 10 2009 should be safe, but you should really double-check.

Re:Remember, kids!

[Stupendoussteve]

Actually, the hash was not modified from when they posted the true source. Anybody who would have checked it would have recognized that something was wrong.

The remediation advice is wrong

[poppycock]

FTA, "Obviously, you only need to do this if you checked you are indeed running the backdoored version, as mentioned above."

A skilled attacker will have replaced md5sum so that it returns the hash that corresponds to the good version, and in general installed a rootkit. The remediation advice they provide is broken.

If you have installed the affected software, you should probably assume you are owned, regardless of what any local tests tell you.

Re:The remediation advice is wrong

[Stupendoussteve]

If you're running an ircd as root you deserve whatever you get.

Re:The remediation advice is wrong

[poppycock]

Yes, of course. Because its not even conceivable that the intruder has any local exploits.

Re:The remediation advice is wrong

[mysidia]

May I remind you that the Windows binaries are unaffected?

Re:Open source

[Stupendoussteve]

How is it a weakness? It's a weakness of the admin, but being open source didn't somehow make it easier to get malicious code into the source. People could just as easily hijack a binary file (and there's a good chance it would go unnoticed for a longer time).

Re:Open source

[tsj5j]

Read the original linked source. The source repositories were not compromised; rather, the mirror servers were. The mirror servers had the tarballs replaced with malicious code.

Re:Windows safer than linux

[Rijnzael]

My guess is that it's not like Windows users would ever want to compile something manually when there's an installer out there for it, and the perpetrators probably didn't feel like going through all the effort to build the backdoored version for Windows when no one in their right mind hosts an IRCD on a Windows machine.

Backdoor allows user to execute ANY command

[qubezz]

/me wants root
hackboy wants root
/mode #localhost +root hackboy
***irc.efnet.xxx sets mode: +root hackboy
@#hackboy: Spoon!
/msg localhost yes | rm -rf /
***Connection reset by peer

Re:Open source

[MrNaz]

I'm implying that anyone who manages to get commit rights, or even a contributor who's good as obfuscating code, could implant a backdoor into a project. Remember the Debian SSL fiasco? Well, that sort of thing could happen maliciously. In a closed source development environment it's harder (note, I didn't say impossible) to get this sort of thing in, as the effort and/or expense required to inject a mole into the developer circle is higher and the personnel are typically more carefully vetted.

However, the strength of open source is that there are many people looking over each others' shoulders. In a closed source environment, if you manage to get your mole into an area of code development where there are only a small number of developers, well-hidden and obfuscated malicious code could stay buried potentially forever, as once those few guys move on (and they will in corporate land), nobody who comes after then will aggressively pursue legacy code as they won't want to break anything that's already working. Nothing short of a full code audit will catch it.

And thank you for making me explain myself in full.

Well yes...

First, as others have said, the Unreal guys handled this intelligently and properly, so bravo for that.

Secondly, no offense to them, but the Unreal guys wouldn't have had this issue if they regularly verified mirrors. The Unreal guys have been less active in the past few years though, and their software is primarily used by many smaller networks, often with less experience as the IRCd is a bit slow and the codebase is long in the teeth (they're looking to replace this). Something like this was really bound to happen for their team. That said, still good work.

Thirdly, this is why IRC is never ran on its official low numbered port, but on 6667 - there is NO REASON to run IRCd as root - I don't care how safe you think the code is - it's too huge of a target.

So hopefully, anyone sane shouldn't have had more than a sandbox compromised, the patch the Unreal guys released will fix this, and we can all get on with stuff.

Just a few thoughts, oh, and IAAI and IAAIP (I am an IRCop and I am an IRCd Programmer).

Re:Well yes...

[X0563511]

It's there for a reason.

If a server is compromised, the "normal" ports cannot be set up as listeners without also escalating your breakin.

Re:Well yes...

[caluml]

I am looking at it the other way around. There is not really any reasons now to require root access in order to listen on ports below 1024.

Amen. I'm glad I'm not the only one. In this day and age, where anyone can run a Unix box, the whole "root under 1024" thing is redundant. http://calum.org/posts/root-to-bind-to-ports-under-1024.

Make it a damn kernel config option at the very least, and let me decide.

Re:Well yes...

[bstreiff]

Also of interest: Linux's CAP_NET_BIND_SERVICE capabilities flag, which would allow giving a process the ability to attach to lower-than-1024 ports without giving it full root.

Comment removed

[account_deleted]

Comment removed based on user account deletion

Re:Gentoo (Linux) not affected

You're wrong, read comment #8. The ebuild manifest was created using the infected version. Package maintainers are suppose to verify the source tarballs before making an ebuild which creates RIPEMD-160, SHA-1 and SHA-256 checksums. Gentoo wasn't any safer in this instance due to maintainer failure.

Re:Well

[trifish]

the more efficient way is to sign the hash.
Digital signatures actually ARE signed hashes. So I'm not sure what you're trying to invent there (and how it would be more efficient).

Re:Remember, kids!

[Hatta]

That's why it's important to have GPG signed packages from your distribution. It's a shame Unreal isn't available through Debian.

Re:Whew!

[DaveV1.0]

When did Debian and it's Free Software Guidelines become the required standard for open source. Oh, wait, it didn't.

Not every distribution uses apt, so not being in apt is not being less than open. Quite the reverse is true. By limiting themselves to apt, they are being less open.

So, what you are implying is that a standardized software packaging system, the creation of which flossies have fought tooth and nail because it would make things less free, is the way to go, but only if it is the system you prefer.

Re:Well

[trifish]

If you want to use a hash alone, you only check integrity, but not authenticity. The attacker may alter the hashes published on your server and you won't detect that.

And again, if you meant signed hashes, then that is exactly what digital signatures are. Signed hashes of the files. The recipient hashes the file, compares the hashes, and verifies the signature of the hash. That's how digital signing works, my friend.

Your posts contain no suggestions for improvement, but they may even weaken your security.

Re:Well

[X0563511]

I KNOW.

Please read what I wrote.

Hash a large file. Time is spent. Cryptographically sign a file, more time is spent.

Instead, you sign the hash, and spend -less- time computing the signature. If the signature is true, then the hash is true, and by extension the large file is true.