-----BEGIN PRIVACY-ENHANCED MESSAGE----- Proc-Type: 4,MIC-CLEAR Content-Domain: RFC822 Originator-Certificate: MIICqjCCAhMCARAwDQYJKoZIhvcNAQECBQAwgYYxC zAJBgNVBAYTAlVTMSswKQYDVQQKEyJEZWZlbnNlIEluZm9ybWF0aW9uIFN5c3Rlb XMgQWdlbmN5MTAwLgYDVQQLEydDZW50ZXIgZm9yIEluZm9ybWF0aW9uIFN5c3Rlb XMgU2VjdXJpdHkxGDAWBgNVBAsTD0NvdW50ZXJtZWFzdXJlczAeFw05MzEyMDkxM zAwNDRaFw05NTEyMDkxMzAwNDRaMIG4MQswCQYDVQQGEwJVUzErMCkGA1UEChMiR GVmZW5zZSBJbmZvcm1hdGlvbiBTeXN0ZW1zIEFnZW5jeTEwMC4GA1UECxMnQ2Vud GVyIGZvciBJbmZvcm1hdGlvbiBTeXN0ZW1zIFNlY3VyaXR5MRgwFgYDVQQLEw9Db 3VudGVybWVhc3VyZXMxEzARBgNVBAsTCk9wZXJhdGlvbnMxGzAZBgNVBAMTEktlb m5ldGggUi4gdmFuIFd5azCBmjAKBgRVCAEBAgIEAAOBiwAwgYcCgYEA87an/VaSD dGo6vyWxeuYagddw7CFtKmrgvExfmcie7QUd7Nd63b31AK6tBeu4LLTsaKXR8d9O yzu+MWQFPS0QkfAa501U3AhSGmdJK8I1sIyGHnIXtiDI6dWDR7d/kFfFCFi1Skbv b5wQzZzwSg5xGJgZLunVwtKkP2dxV8hC+cCAQMwDQYJKoZIhvcNAQECBQADgYEAG B808ZN0Egrl+/A7tXicIVtm9OEMsWVc+P36oh9Ql/IZHc0C5tt4ZrXyeWSXIKlnR cEIHkJqXlBs3/THCZzZqFCJG1rki7kxKNrmmqB2+/bnfK2ZUBjVnW3cHeoEnv/VI MaNWjcrdc+DQpP8pXojfTvxnTuawSOSvyhs13RUC0s= Issuer-Certificate: MIICNTCCAZ4CASIwDQYJKoZIhvcNAQECBQAwRDELMAkGA 1UEBhMCVVMxCzAJBgNVBAgTAk1EMSgwJgYDVQQKEx9UcnVzdGVkIEluZm9ybWF0a W9uIFN5c3RlbXMgUENBMB4XDTk0MDIyNTE0NDkxMloXDTk0MDMwNzE0NDkxMlowg YYxCzAJBgNVBAYTAlVTMSswKQYDVQQKEyJEZWZlbnNlIEluZm9ybWF0aW9uIFN5c 3RlbXMgQWdlbmN5MTAwLgYDVQQLEydDZW50ZXIgZm9yIEluZm9ybWF0aW9uIFN5c 3RlbXMgU2VjdXJpdHkxGDAWBgNVBAsTD0NvdW50ZXJtZWFzdXJlczCBmjAKBgRVC AEBAgIEAAOBiwAwgYcCgYEA19l6BN7iTGYEU61qJETIjBh3iAeHzoL8sZ5KwFRZD S/a1KnYlD1zJHR/KeQCOBWW2HzX43TFLCNGU7UD9i6m8AymLe5IJf/bGh0Rne7Jd Q1GAOLw7/J4hE57IMbGETZpzeU1D9IYxiERRNio/oa422lUlS9JZHLA5jaPNcUrX P8CAQMwDQYJKoZIhvcNAQECBQADgYEApkliqAdudoOxvOFmQkOZbSgtlpn61VcNC R7azDNJa2ulevaebptwSTs2OvMeuR/J0Ez4TC7XrJXLVjI5huRAqc+EWGRpZYRMa CARZyE7gGYjUqS7DIQazfskeWiB8zheyW5tCVn+jnB09AZXtgbM6qRjyqrmSdCpg CtfgazIKqI= Issuer-Certificate: MIIB8jCCAVsCAQEwDQYJKoZIhvcNAQECBQAwRDELMAkGA 1UEBhMCVVMxCzAJBgNVBAgTAk1EMSgwJgYDVQQKEx9UcnVzdGVkIEluZm9ybWF0a W9uIFN5c3RlbXMgUENBMB4XDTkzMDUyODE3MTEyN1oXDTk1MDUyODE3MTEyN1owR DELMAkGA1UEBhMCVVMxCzAJBgNVBAgTAk1EMSgwJgYDVQQKEx9UcnVzdGVkIEluZ m9ybWF0aW9uIFN5c3RlbXMgUENBMIGaMAoGBFUIAQECAgQAA4GLADCBhwKBgQDbL xaRlS3u54yyRgVDI5dcE9nlasL8fJqOGlyo7xH2FZnr3kUfsFj7OGiYsr6UbvqwK nyfMIRUrXDUa64leGmft3SK27psDUHOynRSCc40d/HrDf810U5tnTamBKUIMqivK 4GoL0tMRA1eX6hALAvLLgK1HbnwZAo6GqQGW8CIJQIBAzANBgkqhkiG9w0BAQIFA AOBgQDBp5aC6oV6IuFi8JCctq57bew604HHNllgjjp7zdXafq6jctRg2g91k/yFW h19bJC/tNrb0WVwuZOs5L/FToPMNIIHzaW/YSROBmyhTDYaKHZGj0P1+iNjMbHt9 dm1QEHGIfKgBwFidItnOa74DfkXdijlPRnr/+E2Ib6PM+hEfQ== MIC-Info: RSA-MD5,RSA,tIUJ09RW060QKJAeZml6DUW5LgzbbfPiGBhY4GEQWTD Nk5QnOp8FXBU0QJGHDyeBrI82Q8XgWQ1sIPpLA82XmPAXOkdcab89bDZY18pCTJW zzkFo+NB7liEko61mcls4caZJZAmxBfeq6qZ1ipMF4lPK33fFxDoW6SVWXX5Rebc = <<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> Automated Systems Security Incident Support Team _____ ___ ___ _____ ___ _____ | / /\ / \ / \ | / \ | | / Integritas / \ \___ \___ | \___ | | < et /____\ \ \ | \ | | \ Celeritas / \ \___/ \___/ __|__ \___/ | |_____\ <<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> Bulletin 94-33 Release date: 03 November 1994, 07:00 AM EST (GMT -5) SUBJECT: IRCII version 2.2.9 vulnerability. SUMMARY: This bulletin contains information concerning a vulnerability in the ircII code. The Automated Systems Security Incident Support Team (ASSIST) has learned of a Trojan horse in some copies of ircII version 2.2.9, the UNIX source code for the Internet Relay Chat (IRC) client. BACKGROUND: Reports received thus far indicate that the corrupt code was available as early as May 1994. The Trojan horse provides a back door through which intruders can gain unauthorized access to accounts of IRC users. Intruders are actively exploiting this back door. If your command obtained ircII 2.2.9 from any site in May or later, you may be vulnerable. IMPACT: Remote users can gain unauthorized access to any account running the IRC client. This includes system accounts that may be running the IRC client. RECOMMENDED SOLUTION: ASSIST recommends that the system administrator try to determine whether copies of ircII contains the Trojan horse. ASSIST also recommends that a search on the IRC client be performed to find the strings JUPE or GROK. For example, % strings /usr/local/bin/irc | grep 'JUPE|GROK' To search for a regular expression, use egrep rather than grep: % strings /usr/local/bin/irc | egrep 'JUPE|GROK' (Note: It is noted that the paths cited herein are absolute and the user is reminded that the location of irc and the associated path may be different from that used with the examples above. It is possible that a system could have irc in many locations and accounts.) If the strings JUPE or GROK are present in the IRC client, the source code may contain the Trojan horse. Keep in mind, however, that back doors can easily be changed to respond to other words, therefore, a vulnerability may exist even if the JUPE or GROK strings are not found. Even if it is believed that the IRC source code is clean, system administrators are urged to install ircII version 2.6, the most recent version of IRC. Also, the maintainer of the code reports that version 2.6 contains many bug fixes and extra portability. IRC source code is available by anonymous FTP from many locations, including the following: sungear.mame.mu.oz.au:/pub/irc alpha.gnu.ai.mit.edu:/ircII ftp.funet.fi:/pub/unix/irc/ircII coombs.anu.edu.au:/pub/irc/ircii File Size MD5 Checksum -------- ------ ----------------------------- ircii-2.6.tar.gz 366361 3FC5FBD18CB3E6C071F51FD8C6C59017 ircii-2.6help.tar.gz 111733 D9D535B7A06BED2A2EA6676B20BDA481 ircii-2.5to2.6-diff 19644 0C05C96B10CB87186BD921536AE3FDF2 ASSIST would like to thank the CERT Coordination Center for the information contained within this bulletin. <<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> ASSIST is an element of the Defense Information Systems Agency (DISA), Center for Information Systems Security (CISS), that provides service to the entire DoD community. Constituents of the DoD with questions about ASSIST or computer security security issues, can contact ASSIST using one of the methods listed below. Non-DoD organizations/institutions, contact the Forum of Incident Response and Security Teams (FIRST) (FIRST) representative. To obtain a list of FIRST member erganizations and their constituencies send an email to docserver@first.org with an empty "subject" line and a message body containing the line "send first-contacts". ASSIST Information Resources: To be included in the distribution list for the ASSIST bulletins, send your Milnet (Internet) e-mail address to assist-request@assist.mil. Back issues of ASSIST bulletins, and other security related information, are available from the ASSIST BBS at 703-756-7993/1154 DSN 289-7993/1154, and through anonymous FTP from assist.mil (IP address 199.211.123.11). Note: assist.mil will only accept anonymous FTP connections from Milnet addresses that are registered with the NIC or DNS. ASSIST Contact Information: PHONE: 800-357-4231 (or 703-756-7974 DSN 289), duty hours are 06:00 to 22:30 EST (GMT -5) Monday through Friday. During off duty hours, weekends and holidays, ASSIST can be reached via pager at 800-791- 4857. The page will be answered within 30 minutes, however if a quicker response is required, prefix the phone number with "999". ELECTRONIC MAIL: Send to assist@assist.mil. ASSIST BBS: Leave a message for the "sysop". Privacy Enhanced Mail (PEM): ASSIST uses PEM, a public key encryption tool, to digitally sign all bulletins that are distributed through e-mail. The section of seemingly random characters between the "BEGIN PRIVACY-ENHANCED MESSAGE" and "BEGIN ASSIST BULLETIN" contains machine-readable digital signature information generated by PEM, not corrupted data. PEM software for UNIX systems is available from Trusted Information Systems (TIS) at no cost, and can be obtained via anonymous FTP from ftp.tis.com (IP 192.94.214.96). Note: The TIS software is just one of several implementations of PEM currently available and additional versions are likely to be offered from other sources in the near future. Reference herein to any specific commercial product, process, or service by trade name, trademark manufacturer, or otherwise, does not constitute or imply its endorsement, recommendation, or favoring by ASSIST. The views and opinions of authors expressed herein shall not be used for advertising or product endorsement purposes. -----END PRIVACY-ENHANCED MESSAGE-----