NASIRC BULLETIN #94-33 October 19,1994 Trojan Horse in "ircII" IRC Client for UNIX =========================================================== __ __ __ ___ ___ ____ ____ /_/\ /_/| /_/ / _/\ /_/| / __/ \ / __/\ | |\ \| || / \ \ | /\/ | || | /\ \/ | | \/ | ||\ \ || / /\ \ \ \ \ | || |_\/ /\ | | | || \ \|| / /--\ \ \ /\_\\ | || | |\ \ \ | \_/\ |_|/ \_|//_/ \_\/ \/__/ |_|/ |_| \_\/ \___\/ NASA Automated Systems Incident Response Capability =========================================================== NASIRC recently received information about a "Trojan horse" version of release 2.2.9 of the "ircII" Internet Relay Chat (IRC) client for UNIX. This Trojan horse provides a "back door" through which an intruder may gain unauthorized system access. This vulnerability may date back as far as May 1994. There are other potential vulnerabilities/ramifications associated with the use of IRC in general, especially for users of NASA systems. A NASIRC white paper on Internet Relay Chat is included as an attachment to this bulletin, which outlines these potential security concerns. SYSTEMS AFFECTED: Any UNIX system running ircII 2.2.9 obtained since May, 1994, may have this vulnerability. THE PROBLEM: The source code for version 2.2.9 of the UNIX-based IRC client "ircII" may be corrupted with a Trojan horse. Once compiled and installed, the trojaned version of the program may provide remote users with unauthor- ized access to the accounts of IRC users on the system. The Trojan code takes advantage of the IRC clients' built-in functions that allow users to run shell commands. Using the Trojan, an intruder could use this feature to issue commands in an account as if it was his own -- this is especially dangerous if ircII is being run out of a privileged account (e.g., root or bin). THE FIX: This vulnerability can be removed by replacing the Trojan horse version of ircII with a "clean" version; NASIRC recommends replacing all older copies of the ircII package with version 2.6. To determine if your copy of ircII may include the Trojan code, issue the following command: % strings /usr/local/bin/irc | grep 'JUPE|GROK' If either string (JUPE or GROK) is present in /usr/local/bin/irc, your copy of ircII may include the Trojan code. IMPORTANT NOTE: Even if your copy of ircII is clean, you should replace it with the newest release (2.6) because there is no way to ensure that the Trojan code (if it is present) has not been modified to use differ- ent keywords. In addition, the software's maintainer has indicated that the new release includes extra portability and numerous bug fixes. Another way to check for potential Trojan code is to log into IRC and issue the following command: /ctcp clientinfo A string of text will be displayed; if "GROK" or "JUKE" appear in the list, then that client most likely includes the Trojan code. Because it is possible for users to install and run the IRC client in their own directories, it is important that all users be made aware of this vulnerability. In addition, system managers may want to use the "find" command to search the entire directory tree for copies of ircII (an example of this command is "find / -name 'irc*' -print"). NASIRC does not make any IRC clients available from its online archive, but the ircII source code is available from numerous Anon FTP servers on the Internet, including the following: sungear.mame.mu.oz.au:/pub/irc alpha.gnu.ai.mit.edu:/ircII (2.6 not available as of 10/19/94) ftp.funet.fi:/pub/unix/irc/ircII coombs.anu.edu.au:/pub/irc/ircii File Size MD5 Checksum -------- ------ ----------------------------- ircii-2.6.tar.gz 366361 3FC5FBD18CB3E6C071F51FD8C6C59017 ircii-2.6help.tar.gz 111733 D9D535B7A06BED2A2EA6676B20BDA481 ircii-2.5to2.6-diff 19644 0C05C96B10CB87186BD921536AE3FDF2 NASIRC will continue to monitor this situation and will post additional information should it become necessary. If you have any questions about this bulletin, please contact NASIRC via any of the venues below. =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= NASIRC ACKNOWLEDGES: NASIRC summer intern Allen Chen (of Cornell University) for his extensive research of IRC and initial reporting of this vulnerability. =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= =============================================================== For further assistance, please contact the NASIRC Helpdesk: Phone: 1-800-7-NASIRC Fax: 1-301-441-1853 Internet Email: nasirc@nasa.gov 24 Hour/Emergency Pager: 1-800-759-7243/Pin:2023056 STU III: 1-301-982-5480 =============================================================== This bulletin may be forwarded without restriction to sites and system administrators within the NASA community. The NASIRC online archive is available via World Wide Web at the URL: http://nasirc.hq.nasa.gov/NASIRC_home.html The NASIRC online archive system is also available via anonymous ftp. You will be required to enter your valid e-mail address as the "pass- word". Once on the system, you can access the following information: ~/bulletins ! contains NASIRC bulletins ~/information ! contains various informational files ~/toolkits ! contains automated toolkit software The contents of these directories is updated on a continuous basis with relevant software and information; contact the NASIRC Helpdesk for more information or assistance. ----------------- PLEASE NOTE: Users outside of the NASA community may receive NASIRC bulletins. If you are not part of the NASA community, please contact your agency's response team to report incidents. Your agency's team will coordinate with NASIRC, who will ensure the proper internal NASA team(s) are notified. NASIRC is a member of the Forum of Incident Response and Security Teams (FIRST), a world-wide organiza- tion which provides for coordination between incident response teams in handling computer-security-related issues. You can obtain a list of FIRST member organizations and their constituencies by sending email to docserver@first.org with an empty "subject" line and a message body containing the line "send first-contacts". Draft Advisory: Internet Relay Chat (IRC) August 1994 _________________________________________________________________________ ,,, ,,, ,,, ,,,,, ,,, ,,,,,,,,,, ,,,,,, ,+++: ;+;' ,;+++ ,;+;;;++;: ,++: :++;;;;;++; ,:++;;;++; ;+++;, ++; ,;+;++: :++, ';++ ;++ ++; ++; :++:' '++: ,;+;;+; :++, ;+;'++: ;++:,,, ,;+; :++, ,:+; ;+;, ''' :++:,;+: ;++ ,;+; ;+; ::++++;;: :++: :++;;;;++; ,++: ;++ :++:++: ,++;:,,;++ '';++, ;++ ++;'''';++ :++, ,,, ,;+; :++++ ;+;;;;;+++, :++: ;+; ,;+: :++, ;+; ++;, ,:+;' :++, +++; ;+; '++; :++;;;;+;: :++, ;+; ++: :+++;;;+;;' ::, ,::, ,:: ::, '::::' ::, ::, ::, '::::' _________________________________________________________________________ NASA Automated Systems Incident Response Capability _________________________________________________________________________ This advisory covers the following topics: o What is IRC? o What are some potential problems of running an IRC client? o What can be done do to minimize risk in using IRC? o Closing comments ========================================================================= What is IRC? ------------ Internet Relay Chat (IRC) is an Internet-wide service that allows many users to "chat" interactively by simply typing messages. Chatting takes place in "channels"; each channel has a different topic of discussion and a different set of IRC users. There are usually around 1500 channels and 2500 users active at any given time, and new channels can be created by any user at any time. An IRC client is a program that users run on their local machine that allows them to chat with other people on the network who are running IRC client programs. You can think of it as "telnet" with a specialized user inter- face. IRC clients connect to networked IRC servers. Messages from an IRC client pass from server to server and are delivered to the appropriate parties. The most common IRC client for UNIX systems is "ircII". To the basic user, it provides a simple way to send and receive messages interactively; to the advanced user, it is an operating system with its own complex scripting language. Although IRC is primarily used for recreation, with channels ranging from #poker to #hotsex, there are a few channels (e.g., #unix) which support what could be considered legitimate work-related activities. In addition, IRC could conceivably be used to hold meetings between different NASA centers; however, other software specifically designed for such a purpose is already in widespread use. What are some potential problems of running an IRC client? ---------------------------------------------------------- IRC's large number of computer-illiterate users provides an attractive tar- get to malicious hackers looking for prey. IRCII's flexibility and progra- mmability gives them a powerful tool in their activities. Some hackers have released "all-purpose" scripts which allow the user to do a wide variety of things. Most of the script features are useful, but the real danger lies in the fact that some of these scripts have been modified and re-released with backdoors that can make a system vulnerable to unauthorized access. The following is a list of IRC's potential security abuses/vulnerabilities: o Hackers have modified client sources or scripts to leave backdoors that can give them remote access to systems using the modified clients. o IRC novices seeking help may be convinced to issue harmful commands. A common tactic is to trick the user into downloading a new '.rhosts' file which would allow the hacker complete access to the user's account. o Systems can be "spoofed" so that the true source of a message cannot be determined. o It is possible, either by a remote user embedding commands in a message or simply through bugs in the software, for an IRC client to generate control codes that can make the screen impossible to read (this is sometimes referred to as a "flash"). A reboot may be required to return the screen to normal. o Hackers can modify publically-available IRC server code and use it to start a server on which they have "IRC Operator" status, which would grant them full access to any active channel. As a result, no channel can ever be assumed to be private. o Hackers can forcibly disconnect some users or flood them with messages (referred to as "denial of service" attacks). o Use of IRC often makes userids and machine names available to anyone else on the network who is using IRC, providing hackers with useful information for future attacks. Because there are usually a very small number of IRC users originating from NASA systems, they tend to "stand out from the crowd", thus increasing the potential for such an attack. What can be done to minimize risk in using IRC? ----------------------------------------------- NASIRC suggests that sites utilizing IRC exercise caution. Although the risks cannot be completely eliminated, they can be minimized through use of a "bare bones" client that lacks the extra (optional) functionality of clients like IRCII; the more functions in the client, the more tools there are for an attacker to exploit. Most users only need the capability to send and receive messages. One such basic client is "tinyirc"; it has the basic functionality needed for IRC, but has a very short source code that makes it easier to detect tampering. In addition, IRC clients should only be run on on non-production systems (those that are not used for vital purposes); some public-access clients can be run by simply opening a 'telnet' session to a certain address. (See Appendix A for a listing of addresses). If you must run an IRC client on your system, the following actions will help to further minimize your risks: o Acquire the client's source code from a known reliable site and compile it yourself. Some sites offer "automagic" installation of IRC clients by simply using 'telnet' to a specific address; these have been known to carry infected source code. o Check the source code for "back doors" to your system (this can be complicated because there are many possible ways one could be written). Many of the recent backdoors have been written to activate upon being issued a specific command or keyword; "JUPE" and "GROK" have been identified as commonly used keywords. Try searching for these keywords in the IRC client source code by issuing the following commands (you must be in the same directory where the source code resides): find . -exec grep -i JUPE /dev/null {} \; find . -exec grep -i GROK /dev/null {} ]; If either command gives any output (particularly from the "ctcp.c" file), then the source code may have the backdoor. Note however, the back doors can be easilly modified to activate on words other than "JUPE" or "GROK". If you already have a compiled version of IRC, try searching the executable for the keywords by issuing the commands: strings irc | grep =i JUPE strings irc | grep -i GROK o Use only scripts you are familiar with. Carefully check any code you are not familiar with before using it. o Issue only commands you understand. Research any commands that are unfamiliar or which you do not understand, especially if they were suggested by someone you do not know. Closing Comments ---------------- Because of its social nature, IRC attracts all types of people. Malicious hackers and other members of the computer underground are always there. In addition, IRC can be counterproductive and sometimes extremely addictive; there was a recent case of a college student breaking into a computer lab just so he could use IRC. IRC is primarily an interactive medium that thrives on the presence of other users. Many other services such as USEnet news, E-Mail, and FTP provide a much more effective means of communicating and sharing ideas. IRC does have many potentially legitimate uses. It can be a place to quickly exchange information and ideas about work, science, and technology in real time. However, its potential problems may not be worth the risk. APPENDIX A: Listing of IRC "telnet" clients ------------------------------------------- This list is taken directly from the UnderNet IRC FAQ version 3.0.0 section 1-3. To use these 'telnet' clients, simply telnet to the given address and follow the printed instructions. Note that these clients often have a tight restriction on the maximum number of users allowed and are also slower than running a client locally. wildcat.ecn.uoknor.edu 6677 or 129.15.22.174 6677 sci.dixie.edu 6677 or 144.38.16.2 6677 caen.fr.edu.undernet.org 6677 or 192.93.101.16 6677 obelix.wu-wien.ac.at 6677 or 137.208.8.6 6677 (obelix also runs on ports 7766, 6969 and 6996) hyper.ham.muohio.edu (login: irc) (134.53.16.217)