CERT® Advisory CA-1994-14 Trojan Horse in IRC Client for UNIX

Original issue date: October 19, 1994
Last revised: September 23, 1997
Updated copyright statement

A complete revision history is at the end of this file.

The CERT Coordination Center has learned of a Trojan horse in some copies of ircII version 2.2.9, the source code for the Internet Relay Chat (IRC) client for UNIX systems. Reports we have received thus far indicate that the corrupt code was available as early as May 1994. The Trojan horse provides a back door through which intruders can gain unauthorized access to accounts of IRC users. Intruders are actively exploiting this back door. If you obtained ircII 2.2.9 from any site in May or later, you may be vulnerable.

Because it is unknown how far the corrupt version of the IRC client has propagated and because intruders may have corrupted other versions, the CERT staff recommends obtaining and installing ircII version 2.6.

Because no special privileges are needed to install and run the IRC source code, any user on your system may have installed the corrupt code. Thus, we also recommend that you inform your users of this potential problem and its solution.

We will update this advisory as we receive additional information. Please check advisory files regularly for updates that relate to your site.

 


I. Description

A Trojan horse was found in some copies of the source code for the Internet Relay Chat client for UNIX systems, ircII version 2.2.9. Intruders are actively exploiting this Trojan horse.

The Trojan horse creates a back door and enables intruders to gain unauthorized access to accounts of IRC users. If IRC is run from a system account, such as root or bin, the Trojan horse enables intruders to gain unauthorized access to the system account. In addition, because it is possible to compile, install, and run IRC source code without special privileges, any user on your system may have installed corrupt code.

The source code containing the Trojan horse was available from many FTP sites as early as May 1994 (at this time, we do not have a specific date).

II. Impact

Remote users can gain unauthorized access to any account running the IRC client, including a system account if it is running IRC.

III. Solution

If you want to try to determine whether your copy of ircII contains the Trojan horse, perform a search on the IRC client to find the strings JUPE or GROK. For example,

% strings /usr/local/bin/irc | grep 'JUPE|GROK'
% strings /usr/local/bin/irc | egrep 'JUPE|GROK'

If the strings JUPE or GROK are present in the IRC client, your source code may contain the Trojan horse. Keep in mind, however, that back doors can easily be changed to respond to other words, so you may be vulnerable even if you do not find JUPE or GROK.

Thus, even if you believe that your IRC source code is clean, we urge you to install ircII version 2.6, the most recent version of IRC. Also, the maintainer of the code reports that version 2.6 contains many bug fixes and extra portability.

IRC source code is available by anonymous FTP from many locations, including the following:

sungear.mame.mu.oz.au:/pub/irc
alpha.gnu.ai.mit.edu:/ircII
ftp.funet.fi:/pub/unix/irc/ircII
coombs.anu.edu.au:/pub/irc/ircii

File                  Size     MD5 Checksum
--------              ------   -----------------------------
ircii-2.6.tar.gz      366361   3FC5FBD18CB3E6C071F51FD8C6C59017
ircii-2.6help.tar.gz  111733   D9D535B7A06BED2A2EA6676B20BDA481
ircii-2.5to2.6-diff   19644    0C05C96B10CB87186BD921536AE3FDF2

As of Feb. 2, 1995, an ircii2.6-sco-patch is available:

File                  Size     MD5 Checksum
--------              ------   -----------------------------
ircii-2.6.tar.gz      366361   3FC5FBD18CB3E6C071F51FD8C6C59017
ircii-2.6help.tar.gz  111733   D9D535B7A06BED2A2EA6676B20BDA481
ircii-2.5to2.6-diff   19644    0C05C96B10CB87186BD921536AE3FDF2
ircii-2.6-sco-patch   65143    45161113B0E435FB993CE00436A819A1

IV. Informing Users

Because users may have installed IRC source code on their own, we recommend informing all your users about the Trojan horse and the new version of IRC.

In addition, you may want to find any user-installed copies of IRC that may be vulnerable. If so, you could use the find command to locate these binaries. As an example, the following command will enable you to find all files named "irc" in a subdirectory of /usr/users:

% find /usr/users -name irc -type f -print


The CERT Coordination Center wishes to thank Matthew Green for his assistance with this advisory.


This document is available from: http://www.cert.org/advisories/CA-1994-14.html


CERT/CC Contact Information

Email: cert@cert.org
Phone: +1 412-268-7090 (24-hour hotline)
Fax: +1 412-268-6989
Postal address:

CERT Coordination Center
Software Engineering Institute
Carnegie Mellon University
Pittsburgh PA 15213-3890
U.S.A.

CERT/CC personnel answer the hotline 08:00-17:00 EST(GMT-5) / EDT(GMT-4) Monday through Friday; they are on call for emergencies during other hours, on U.S. holidays, and on weekends.

Using encryption

We strongly urge you to encrypt sensitive information sent by email. Our public PGP key is available from

If you prefer to use DES, please call the CERT hotline for more information.

Getting security information

CERT publications and other security information are available from our web site

 

* "CERT" and "CERT Coordination Center" are registered in the U.S. Patent and Trademark Office.


NO WARRANTY
Any material furnished by Carnegie Mellon University and the Software Engineering Institute is furnished on an "as is" basis. Carnegie Mellon University makes no warranties of any kind, either expressed or implied as to any matter including, but not limited to, warranty of fitness for a particular purpose or merchantability, exclusivity or results obtained from use of the material. Carnegie Mellon University does not make any warranty of any kind with respect to freedom from patent, trademark, or copyright infringement.


Conditions for use, disclaimers, and sponsorship information

 

Copyright 1994, 1996 Carnegie Mellon University.


Revision History

Sep. 23, 1997  Updated copyright statement
Aug. 30, 1996  Information previously in the README was inserted
               into the advisory.
Feb. 02, 1995  Sec. III - Added filenames and checksums for ircii2.6-sco-patch.
Oct. 20, 1994  Sec. III - Added example command using egrep.
               Included alhpa.gnu.ai.mit.edu as a source of ircII.