Re: vsftpd download backdoored

[HD Moore <hdm () digitaloffense net>]

On 7/4/2011 9:26 PM, Solar Designer wrote:
> On Tue, Jul 05, 2011 at 10:09:32AM +0800, Eugene Teo wrote:
> > I did not verify.
> >
> > (09:55:37 AM) hdmoore: The timestamp on vsftpd-2.3.4.tar.gz
> > http://bit.ly/j4VC5y indicates that the backdoor was present from Feb
> > 15th -> July 3rd (via mc)
>
> Looks unrealistic to me.  Feb 15 is when 2.3.4 was released by Chris.
> A copy I downloaded has mtime Feb 15 (preserved from the official
> download site) and ctime Mar 2 (when I downloaded it).  It passes the
> GPG signature check and lacks the backdoor.
>
> Additionally, searching for the SHA-256 digest that Chris posted reveals
> only copies of his announcement of the incident and news stories about
> it.  No hits for any distro's filelists, etc.  I wish we had MD5 and
> SHA-1 to also search for, though.  I don't have a copy of the backdoored
> vsftpd tarball to compute those, but we can ask Chris for them.
>
> My gut feeling is that the backdoored tarball has been on the site for
> 1 to 3 days.  But I could be wrong.

Thanks for the CC -- as a guess as to what happened; was this particular
mirror compromised and the original tarball modified (along with its
mtime) to match the original Feb 15th date?

Does anyone have a "we noticed it first" flag that is before July 3rd?

Debian (and most other repos) are storing the SHA-256/SHA1/MD5 of each
source package, so a Feb 15 date does seem incredible, but so does the
complete pwnage of a non-official mirror with the original mtime, at the
same moment as an official dist server compromise. A nightly rsync would
account for this, but we would need to know more about the mirror
structure from Chris.

I am happy to correct the metasploit module if new facts arrive; thank
you to everyone who spends their free time dealing with this crap.

-HD