**************************************************************************
Security Bulletin 9425                 DISA Defense Communications System
October 28, 1944            Published by: DDN Security Coordination Center
                                      (SCC@NIC.DDN.MIL)   1-(800) 365-3642

                        DEFENSE  DATA  NETWORK
                          SECURITY  BULLETIN

  The DDN SECURITY BULLETIN is distributed by the DDN SCC (Security
  Coordination Center) under DISA contract as a means of communicating
  information on network and host security exposures, fixes, and concerns
  to security and management personnel at DDN facilities.  Back issues may
  be obtained via FTP (or Kermit) from NIC.DDN.MIL [192.112.36.5]
  using login="anonymous" and password="guest".  The bulletin pathname is
  scc/ddn-security-yynn (where "yy" is the year the bulletin is issued
  and "nn" is a bulletin number, e.g. scc/ddn-security-9302).
**************************************************************************

+ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - +
!                                                                       !
!     The following important  advisory was  issued by the Computer     !
!     Emergency Response Team (CERT)  and is being relayed unedited     !
!     via the Defense Information Systems Agency's Security             !
!     Coordination Center  distribution  system  as a  means  of        !
!     providing  DDN subscribers with useful security information.      !
!                                                                       !
+ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - +

=============================================================================

 CA-94:14                         CERT Advisory
                                 October 19, 1994
                       Trojan Horse in IRC Client for UNIX
 -----------------------------------------------------------------------------
 
 The CERT Coordination Center has learned of a Trojan horse in some copies of
 ircII version 2.2.9, the source code for the Internet Relay Chat (IRC) client
 for UNIX systems. Reports we have received thus far indicate that the corrupt
 code was available as early as May 1994. The Trojan horse provides a back door
 through which intruders can gain unauthorized access to accounts of IRC users.
 Intruders are actively exploiting this back door.  If you obtained ircII 2.2.9
 from any site in May or later, you may be vulnerable.
 
 Because it is unknown how far the corrupt version of the IRC client has
 propagated and because intruders may have corrupted other versions, the CERT
 staff recommends obtaining and installing ircII version 2.6. 
 
 Because no special privileges are needed to install and run the IRC source
 code, any user on your system may have installed the corrupt code.  Thus, we
 also recommend that you inform your users of this potential problem and its
 solution.
 
 As we receive additional information relating to this advisory, we will place
 it, along with any clarifications, in a CA-94:14.README file. CERT advisories
 and their associated README files are available by anonymous FTP from
 info.cert.org. We encourage you to check the README files regularly for
 updates on advisories that relate to your site.
 
 -----------------------------------------------------------------------------
 
 I.   Description
 
      A Trojan horse was found in some copies of the source code for
      the Internet Relay Chat client for UNIX systems, ircII version
      2.2.9.  Intruders are actively exploiting this Trojan horse.
 
      The Trojan horse creates a back door and enables intruders to
      gain unauthorized access to accounts of IRC users. If IRC is run
      from a system account, such as root or bin, the Trojan horse
      enables intruders to gain unauthorized access to the system
      account.  In addition, because it is possible to compile,
      install, and run IRC source code without special privileges, any
      user on your system may have installed corrupt code.
 
      The source code containing the Trojan horse was available from
      many FTP sites as early as May 1994 (at this time, we do not have
      a specific date).
 
 II.  Impact
 
      Remote users can gain unauthorized access to any account running
      the IRC client, including a system account if it is running IRC.
 
 III. Solution
 
      If you want to try to determine whether your copy of ircII contains the
      Trojan horse, perform a search on the IRC client to find the strings JUPE
      or GROK. For example,
 
         % strings /usr/local/bin/irc | grep 'JUPE|GROK'
 
      If the strings JUPE or GROK are present in the IRC client, your source
      code may contain the Trojan horse. Keep in mind, however, that back doors
      can easily be changed to respond to other words, so you may be vulnerable
      even if you do not find JUPE or GROK.
 
      Thus, even if you believe that your IRC source code is clean, we urge you
      to install ircII version 2.6, the most recent version of IRC. Also,
      the maintainer of the code reports that version 2.6 contains many bug
      fixes and extra portability. 
 
      IRC source code is available by anonymous FTP from many locations,
      including the following:
 
         sungear.mame.mu.oz.au:/pub/irc
         alpha.gnu.ai.mit.edu:/ircII (2.6 not available as of 10/19/94)
         ftp.funet.fi:/pub/unix/irc/ircII
         coombs.anu.edu.au:/pub/irc/ircii
 
         File                  Size     MD5 Checksum
         --------              ------   -----------------------------
         ircii-2.6.tar.gz      366361   3FC5FBD18CB3E6C071F51FD8C6C59017
         ircii-2.6help.tar.gz  111733   D9D535B7A06BED2A2EA6676B20BDA481
         ircii-2.5to2.6-diff   19644    0C05C96B10CB87186BD921536AE3FDF2
        
 IV.  Informing Users
 
      Because users may have installed IRC source code on their own, we
      recommend informing all your users about the Trojan horse and the new
      version of IRC.
 
      In addition, you may want to find any user-installed copies of IRC that
      may be vulnerable. If so, you could use the find command to locate these
      binaries. As an example, the following command will enable you to find
      all files named "irc" in a subdirectory of /usr/users:
       
         % find /usr/users -name irc -type f -print
 
 ---------------------------------------------------------------------------
 The CERT Coordination Center wishes to thank Matthew Green for his 
 assistance with this advisory.
 ---------------------------------------------------------------------------
 If you believe that your system has been compromised, contact the CERT
 Coordination Center or your representative in Forum of Incident
 Response and Security Teams (FIRST).
 
 If you wish to send sensitive incident or vulnerability information to
 CERT via electronic mail, CERT strongly advises that the e-mail be
 encrypted.  CERT can support a shared DES key, PGP (public key
 available via anonymous FTP on info.cert.org), or PEM (contact CERT
 for details).
 
 Internet E-mail: cert@cert.org
 Telephone: 412-268-7090 (24-hour hotline)
            CERT personnel answer 8:30 a.m.-5:00 p.m. EST(GMT-5)/EDT(GMT-4),
            and are on call for emergencies during other hours.
 
 CERT Coordination Center
 Software Engineering Institute
 Carnegie Mellon University
 Pittsburgh, PA 15213-3890
 USA
 
 Past advisories, information about FIRST representatives, and other
 information related to computer security are available for anonymous
 FTP from info.cert.org.