– IRC News

All about Internet Relay Chat

Some UnrealIRCd downloads trojaned [Update 3]

Syzop of the UnrealIRCd project just posted an announcement on their mailinglist and forums that some versions of their IRCd have been compromised and had a backdoor added which went unnoticed for quite a while.

The first signs of the compromise have been traced back to November 2009 and Syzop writes that “Any Unreal3.2.8.1.tar.gz downloaded BEFORE November 10 2009 should be safe, but you should really double-check”.

Only the source downloads (.tar.gz) are affected from this hack. Windows users, copies checked out from their CVS as well as users of older versions are safe and don’t need to check – everyone else should ensure they’re running a clean version of UnrealIRCd since the backdoor allows an attacker to issue and execute commands as the user the IRCd is running as, which essentially means your shell could easily compromised despite all other security measures.

Checking if your IRCd is one of those trojanized copies can easily be done either checking with md5sum or grep’ing the source for the backdoored code:

Run ‘md5sum Unreal3.2.8.1.tar.gz’ on it and compare the resulting sum to the checksums below:

Backdoored version (BAD) is: 752e46f2d873c1679fa99de3f52a274d
Official version (GOOD) is: 7b741e94e867c0a7370553fd01506c66

or use the command ‘grep DEBUG3_DOLOG_SYSTEM include/struct.h’ from your Unreal3.2 directory – if this outputs 2 lines you’re running the trojanized version and need to get yourself a fresh and clean copy of the IRCd and recompile it since the compromised section is in the IRCds core and “it is not possible to ‘clean’ UnrealIRCd without a restart or through a module”.

Syzop writes that they have take precautions so such a compromise can never happen again and if it does that it’ll be noticed more quickly. They’re also planning to reimplement PGP/GPG signing of the releases which “in practice (very) few people use” but “still [will] be useful for those people who do”.

Closing his announcement he writes that he’d like to “apologize about this security breach. We simply did not notice, but should have. We did not check the files on all mirrors regularly, but should have. We did not sign releases through PGP/GPG, but should have done so. Hope you’ll all continue to support UnrealIRCd”.

The full announcement can be read here and the advisory can be found here.

[Update]: Servers running the trojanized versions of UnrealIRCd should be updated as soon as possible since HD Moore, the creator of the Metasploit exploitation framework, already released a module for it – but even without that the security hole is really simple to exploit.

Also, here is a .sh script that might help you in the upgrade process – at least one user on the UnrealIRCd forums claimed it worked for him (although no kind of guarantee is given neither by the author nor by me).

[Update 2]: Syzop just posted a follow-up in which he writes that their releases are “from now on signed with GnuPG (PGP) again”.

[Update 3]: In an email to the UnrealIRCd mailinglist, Syzop elaborates on the GPG/PGP signing and says that there will be instructions on how to verify the key when you download the future releases. He also goes into some detail which precautions the team has taken that such an incident “will never ever happen again”. He rightfully criticizes certain news-outlets that claimed it was the fault of the Open Source model and even Linux (*cough*ZDNet*cough*) – some websites even confused the IRCd with EPIC softwares first-person shooter Unreal Tournament.

  Copyright secured by Digiprove

ngIRCd 16 has been released

Alexander Barton of the ngIRCd project just announced on their mailing-list the immediate availability of version 16 of their IRC daemon.

After 1 month of testing and 2 release candidates, the final release is available to download and use.

The most notable changes since ngIRCd version 15 according to the announcement are various fixes to the build system and code cleanups, a new numeric (RPL_STATSCONN 250) that displays a few enhanced connection statistics to clients on connect and adding the missing documentation for the “Password” variable.

ngIRCd has gained WEBIRC support that is used for various Webchat-clients such as Mibbit and the limit that previously restricted the number of possible IRCOps has been removed.

Channelmode +z has been introduced as well – with that mode set only clients that are connected over a SSL-encrypted connection can join that channel, clients that already are present on that channel are not checked and therefore are allowed to stay – the same goes for clients joining from a remote server that does not support CMODE +z.

The download for ngIRCd 16 can be found here and the changelog is available here.

  Copyright secured by Digiprove

ratbox-services updated to v1.2.4

ratbox-services, the services package for ircd-ratbox, have released version 1.2.4 in their stable tree.

ratbox services logo

ratbox services logo

Version 1.2.4 is mainly a bugfix release, one feature addition that this new version got is that you now can specify both the UID/GID and the path it chroots to on startup with a parameter.

Other than that, some inconsistencies with ChanServ enforcing topics have been rectified and it now “enforces topics whenever it is in the channel”. The handling of read-errors received from servers has been fixed as well as the configure-options of both MySQL and PostgreSQL which now take a path to a binary that will provide the compiler with information it needs to compile the respective support in.

The complete changelog for ratbox-services 1.2.4 can be found here and the download can be obtained from here.

  Copyright secured by Digiprove

InspIRCd 1.2.7 stable is out, fixes DoS bugs

The InspIRCd team released version 1.2.7 of their stable branch yesterday which fixes 2 critical bugs that can result in DoS conditions, so an upgrade is advised.

The first crash that has been fixed is triggerable when a remote server has the same name as a local one which possibly crashes the linking IRCd. This bug was squashed by developer danieldg in this commit.

The second bug can lead to a Denial of Service condition due to memory exhaustion which is possible since ban exception masks weren’t limited in length and numbers according to MAXBANS.

This has been rectified by this commit and they are now restricted to 250 characters in length and adhere to the MAXBANS directive.

The download for InspIRCd 1.2.7 can be found here, the whole commit-log can be viewed here.

  Copyright secured by Digiprove

ShadowIRCd project releases 6.1.0

The ShadowIRCd project just released version 6.1.0 of their Charybdis-based IRCd, just little over a month after the release of version 6.0.0.

The new release adds a few new features, configuration options and “massive helpfile updates”.

The developer team implemented a server-side /CYCLE (also called /HOP in some clients) command which parts and rejoins the user from the channel he specifies.

A lot of management-commands like those pertaining to modules (like MODLOAD) can now be executed remotely, remote stopping or restarting the IRCd through DIE and RESTART has been introduced as well.

Configuration options like a settable timeout for ident checking have been added, static QUIT and the removal of PART messages are now an option too. The flood protection for opers can now fully be turned off instead of just increasing the limit by 4 times like before – the changelog however warns to be “extremely careful” since this option allows to “flood channels/users”.

Another feature worth mentioning is the addition of HELPCHAN / HELPURL: When those are configured a user doing /QUOTE HELP will be pointed to the networks help channel or a website whereas he otherwise would get just the default help index.

The full changelog can be viewed here and the download can be obtained from here.

  Copyright secured by Digiprove