Sure, you can wonder, but when I break it down, it’s either highly unlikely or highly clumsy.
If I were to put a backdoor into this code, I’d want the following properties:
- tricky to spot in code review
- virtually undiscoverable via current best-of-breed fuzzing
- tricky to spot in network captures or any type of IDS
This bug passes #2 (unless you’ve got a state-aware network fuzzer and panic() in the right places), but fails on the other two.
But who knows, maybe this was a low-investment effort and it paid off for some time, with a trivial-to-exploit (IE no mem corruption) bug they knew would eventually be retired?
If I were to put a backdoor into this code, I’d want the following properties:
- tricky to spot in code review
- virtually undiscoverable via current best-of-breed fuzzing
- tricky to spot in network captures or any type of IDS
This bug passes #2 (unless you’ve got a state-aware network fuzzer and panic() in the right places), but fails on the other two.
But who knows, maybe this was a low-investment effort and it paid off for some time, with a trivial-to-exploit (IE no mem corruption) bug they knew would eventually be retired?