Some versions of Unreal3.2.8.1.tar.gz contain a backdoor

News about the UnrealIRCd project, including release announcements
Syzop
UnrealIRCd head coder
Posts: 2112
Joined: Sat Mar 06, 2004 8:57 pm
Location: .nl
Contact:

Some versions of Unreal3.2.8.1.tar.gz contain a backdoor

Post by Syzop »

Hi all,

This is very embarrassing...

We found out that the Unreal3.2.8.1.tar.gz file on our mirrors has been replaced quite a while ago with a version with a backdoor (trojan) in it.
This backdoor allows a person to execute ANY command with the privileges of the user running the ircd. The backdoor can be executed regardless of any user
restrictions (so even if you have passworded server or hub that doesn't allow any users in).

It appears the replacement of the .tar.gz occurred in November 2009 (at least on some mirrors). It seems nobody noticed it until now.

Obviously, this is a very serious issue, and we're taking precautions so this will never happen again, and if it somehow does that it will be noticed quickly.
We will also re-implement PGP/GPG signing of releases. Even though in practice (very) few people verify files, it will still be useful for those people who do.

Safe versions
==============

Official precompiled Windows (SSL and non-ssl) binaries are NOT affected.

CVS is also not affected.

3.2.8 and any earlier versions are not affected.

Any Unreal3.2.8.1.tar.gz downloaded BEFORE November 10 2009 should be safe, but you should really double-check, see next.

How to check if you're running the backdoored version
======================================================
Two ways:

One is to check if the Unreal3.2.8.1.tar.gz you have is good or bad by running 'md5sum Unreal3.2.8.1.tar.gz' on it.
Backdoored version (BAD) is: 752e46f2d873c1679fa99de3f52a274d
Official version (GOOD) is: 7b741e94e867c0a7370553fd01506c66

The other way is to run this command in your Unreal3.2 directory:
grep DEBUG3_DOLOG_SYSTEM include/struct.h
If it outputs two lines, then you're running the backdoored/trojanized version.
If it outputs nothing, then you're safe and there's nothing to do.

What to do if you're running the backdoored version
====================================================
Obviously, you only need to do this if you checked you are indeed running the backdoored version, as mentioned above.
Otherwise there's no point in continuing, as the version on our website is (now back) the good one from April 13 2009 and nothing 'new'.

Solution:
* Re-download from http://www.unrealircd.com/
* Verify MD5 (or SHA1) checksums, see next section (!)
* Recompile and restart UnrealIRCd

The backdoor is in the core, it is not possible to 'clean' UnrealIRCd without a restart or through a module.

How to verify that the release is the official version
=======================================================
You can check by running 'md5sum Unreal3.2.8.1.tar.gz', it should output:
7b741e94e867c0a7370553fd01506c66 Unreal3.2.8.1.tar.gz

For reference, here are the md5sums for ALL proper files:
7b741e94e867c0a7370553fd01506c66 Unreal3.2.8.1.tar.gz
5a6941385cd04f19d9f4241e5c912d18 Unreal3.2.8.1.exe
a54eafa6861b6219f4f28451450cdbd3 Unreal3.2.8.1-SSL.exe

These are the EXACT same MD5sums as mentioned on April 13 2009 in the initial 3.2.8.1 announcement to the unreal-notify and unreal-users mailing list.
<http://sourceforge.net/mailarchive/foru ... eal-notify>

Finally
========
Again, I would like to apologize about this security breach.
We simply did not notice, but should have.
We did not check the files on all mirrors regularly, but should have.
We did not sign releases through PGP/GPG, but should have done so.

This advisory (and updates to it, if any) is posted to:
http://www.unrealircd.com/txt/unrealsec ... 100612.txt

Hope you'll all continue to support UnrealIRCd.
seraphim
Posts: 36
Joined: Tue Apr 03, 2007 11:10 am

Re: Some versions of Unreal3.2.8.1.tar.gz contain a backdoor

Post by seraphim »

I will do. Shit happens, we just can learn for the future.
therock247uk
Posts: 19
Joined: Wed Nov 09, 2005 2:32 pm
Location: UK
Contact:

Re: Some versions of Unreal3.2.8.1.tar.gz contain a backdoor

Post by therock247uk »

thanks for posting this will look into the ircds that run on the servers i oper on.
vbirc
Posts: 0
Joined: Sat Jun 12, 2010 4:52 pm

Re: Some versions of Unreal3.2.8.1.tar.gz contain a backdoor

Post by vbirc »

For those who have a bigger network and don't want to spend hours re-downloading, etc, bryan made a quick script after I pointed this issue out to him, and i used it on the vbirc network to test. works great.

info & fix here, http://kwn.me/unrealfix (.txt file)

I hope that helps some people.
Gemster
Posts: 10
Joined: Sat Jun 12, 2010 6:45 pm

Re: Some versions of Unreal3.2.8.1.tar.gz contain a backdoor

Post by Gemster »

Hi, i ran the command "grep DEBUG3_DOLOG_SYSTEM include/struct.h" and got this output


gemster@hidden:~/Unreal3.2$ grep DEBUG3_DOLOG_SYSTEM include/struct.h
#define DEBUG3_LOG(x) DEBUG3_DOLOG_SYSTEM (x)
#define DEBUG3_DOLOG_SYSTEM(x) system(x)
gemster@hidden:~/Unreal3.2$

Does this mean that i am running the trojan ?

Thanks
Gemster
CoreDuo
Posts: 2
Joined: Sat Nov 08, 2008 7:42 pm

Re: Some versions of Unreal3.2.8.1.tar.gz contain a backdoor

Post by CoreDuo »

Gemster wrote:Hi, i ran the command "grep DEBUG3_DOLOG_SYSTEM include/struct.h" and got this output


gemster@hidden:~/Unreal3.2$ grep DEBUG3_DOLOG_SYSTEM include/struct.h
#define DEBUG3_LOG(x) DEBUG3_DOLOG_SYSTEM (x)
#define DEBUG3_DOLOG_SYSTEM(x) system(x)
gemster@hidden:~/Unreal3.2$

Does this mean that i am running the trojan ?

Thanks
Gemster
Yes.
Gemster
Posts: 10
Joined: Sat Jun 12, 2010 6:45 pm

Re: Some versions of Unreal3.2.8.1.tar.gz contain a backdoor

Post by Gemster »

Damm it :/
DustinErnst
Posts: 0
Joined: Sat Jun 12, 2010 11:14 pm

Re: Some versions of Unreal3.2.8.1.tar.gz contain a backdoor

Post by DustinErnst »

Well then. That solves the question of why our server kept getting compromised these last couple months.

Kudos to whoever found the problem.
mkava
Posts: 0
Joined: Wed Oct 14, 2009 2:39 am
Contact:

Re: Some versions of Unreal3.2.8.1.tar.gz contain a backdoor

Post by mkava »

Thanks for posting this. If one of the people who frequents my network didn't send a link to this, I wouldn't have noticed the post right away otherwise. So thanks go to him and the folk who found/reported this. =]
CoreDuo
Posts: 2
Joined: Sat Nov 08, 2008 7:42 pm

Re: Some versions of Unreal3.2.8.1.tar.gz contain a backdoor

Post by CoreDuo »

mkava wrote:Thanks for posting this. If one of the people who frequents my network didn't send a link to this, I wouldn't have noticed the post right away otherwise. So thanks go to him and the folk who found/reported this. =]
Or you could have waited until it was inevitably slashdotted
tmpaccount
Posts: 0
Joined: Sun Jun 13, 2010 11:09 am

Re: Some versions of Unreal3.2.8.1.tar.gz contain a backdoor

Post by tmpaccount »

You are very irresponsible.
I`ll migrate to some other IRC server as soon as I can and I`d recommend everybody else to do the same.
I was wondering whether it was indeed someone from outside or if you guys did it yourself and when the advisory was published you
decided to blame someone from outside.
SHAME ON YOU.
CoreDuo
Posts: 2
Joined: Sat Nov 08, 2008 7:42 pm

Re: Some versions of Unreal3.2.8.1.tar.gz contain a backdoor

Post by CoreDuo »

tmpaccount wrote:You are very irresponsible.
I`ll migrate to some other IRC server as soon as I can and I`d recommend everybody else to do the same.
I was wondering whether it was indeed someone from outside or if you guys did it yourself and when the advisory was published you
decided to blame someone from outside.
SHAME ON YOU.
This isn't google...
If you don't want to use it, fine. But leave the conspiracy theories to the tabloids. It's not like they didn't take more safety precautions this time to make sure it doesn't happen again and make a full disclosure including instructions on how to tell if you have an exploited copy. Hell there's a even a nice little script bryan at xzibition wrote to make it easy.
MK3
Posts: 0
Joined: Sun Jun 13, 2010 2:07 pm

Re: Some versions of Unreal3.2.8.1.tar.gz contain a backdoor

Post by MK3 »

The authors would hardly post to alert users about it if they did it themselves now would they, especially when nobody had noticed it before then.

Many people would save themselves the embarrassment of admitting there was a problem or that the downloads had been exploited so kudos to Syzop for alerting everyone to the fact!

Best Wishes.
katsklaw
Posts: 1124
Joined: Sun Apr 18, 2004 5:06 pm
Contact:

Re: Some versions of Unreal3.2.8.1.tar.gz contain a backdoor

Post by katsklaw »

MK3 wrote:The authors would hardly post to alert users about it if they did it themselves now would they, especially when nobody had noticed it before then.

Many people would save themselves the embarrassment of admitting there was a problem or that the downloads had been exploited so kudos to Syzop for alerting everyone to the fact!

Best Wishes.

This is correct, it wouldn't make sense, nor would it make sense to only infect the source code and not precompiled binaries as well which would greatly impact the number of systems infected, not to mention far easier to hide. For example all the windows machines that run Unreal, which in my personal opinion is nearly as many if not more systems than the source compiled systems.

Please lets leave completely unfounded statements and drama for high school.
MK3
Posts: 0
Joined: Sun Jun 13, 2010 2:07 pm

Re: Some versions of Unreal3.2.8.1.tar.gz contain a backdoor

Post by MK3 »

Agreed!

I guess there is always someone who will come up with a non founded conspiracy theory even though the facts don't point to the deverlopers being guilty, if anything the facts tend to exonerate them in that they are the first ones warning their users and offering advice on detection of backdoored versions!

How many people would backdoor their own software and then alert their users and what would they even have to gain from doing so? Nothing, not to mention that if they did do so it would harm their reputations and undermine the trust of the users so where is the motive or incentive for them to do something unethical like that?
Post Reply