From owner-csa@sprocket.nosc.MIL Sat Feb 27 14:42:44 1999
From: owner-csa@sprocket.nosc.MIL
To: CSA-List@sprocket.nosc.MIL
Date: Thu, 28 Jan 1999 08:04:33 -0500
Subject: IAVA 1999-0002 TCP Wrappers Trojan Vulnerability

Automated Systems Security Incident Support Team (ASSIST)

Advisory  1999-0002

Release date: 21 Jan 1999
Revised date: 22 Jan 1999

TOPIC: TCP Wrappers Trojan 

DESCRIPTION:  ASSIST has been notified that the primary distribution
site for TCP Wrappers v7.6 (Netherlands) was recently compromised.  This
particular site is used to propagate copies to numerous mirror sites
all over the world.   

The distribution files were modified to include a trojan payload.  This
code will allow a remote intruder to gain root access to any system
with an installed copy.  

TCP Wrappers is one of the most recommended security tools on the
net.  Its use is still recommended, but sites should always verify
the attached PGP signature to verify the software is valid.  

PLATFORM:  Any system with a recent installation of TCP Wrappers
(primarily UNIX systems)

IMPACT:  An intruder could exploit the trojan to gain unrestricted access 
to a system.  

SOLUTION:  Verify that your systems have not recently installed a copy
of TCP Wrappers.  If you have recently installed TCP Wrappers (since
19 January 1999) then 

1.  The distribution file's (.tar.gz) correct length is 99438 bytes.  The
modified file's length is 99186 bytes.  

2.  Verify the MD5 signature of the package (tcp_wrappers_7.6.tar.gz)

        compromised package:  af7f76fb9960a95a1341c1777b48f1df
        correct package:      e6fa25f71226d090f34de3f6b122fb5a

** Check 2 is a replacement for the port check.  The trojan code does NOT 
open port 421.  It does allow privileged access to any wrapped service
when the client originates from source port 421.  

3.  Look in the TCP Wrappers source code for the following added line:
        
        grep "/bin/csh" tcpd.c

4.  Review the binary code for the following signature

        strings tcpd |grep csh


Any output should cause concern. 


If you believe that you have installed a trojan version of TCP
Wrappers, please contact your respective CERT immediately. 

Legitimate copies of the software can be obtained from the ASSIST FTP
server:
        ftp://ftp.assist.mil/pub/tools/tcp_wrappers


___________________________ 
ASSIST CONTACT INFORMATION:

NIPRNET E-mail: assist@assist.mil 
SIPRNET E-mail: assist@assist.disa.smil.mil
Phone:  (800)-357-4231 (DSN 327-4700) 24 hour hotline 
Fax:    (703) 607-4735 (DSN 327-4735) Unclassified

ASSIST Bulletins, tools and other security related information are
available from:
    http://www.assist.mil/ 
    http://www.assist.disa.smil.mil
    ftp://ftp.assist.mil/

____ 
OTHER DoD CERT CONTACT INFORMATION:  
Air Force CERT Phone: (800) 854-0187 
Air Force CERT Email: afcert@afcert.csap.af.mil

Navy CIRT Phone: (800) 628-8893 
Navy CIRT Email: navcirt@fiwc.navy.mil

Army CERT Phone: (888) 203-6332 
Army CERT Email: acert@vulcan.belvoir.army.mil


Back issues of ASSIST bulletins, and other security related
information, through anonymous  FTP from ftp.assist.mil (IP address
199.211.123.12).  Note:  ftp.assist.mil will only accept anonymous FTP
connections from  NIPRNET addresses that are registered with the NIC
or DNS. If your system is not registered, you must provide your
NIPRNET IP address to ASSIST before access can be provided.

ASSIST uses Pretty Good Privacy (PGP) as the digital signature
mechanism for bulletins.   PGP incorporates the RSAREF(tm)
Cryptographic Toolkit under license from RSA Data Security, Inc.  A
copy of that license is available via anonymous FTP from
net-dist.mit.edu (IP 18.72.0.3) in the file /pub/PGP/rsalicen.txt.  In
accordance with the terms of that license,  PGP may be used for
non-commercial purposes only.  Instructions for downloading the PGP
software can also be obtained from net-dist.mit.edu in the
pub/PGP/README file.  PGP and RSAREF may be subject to the export
control laws of the United States of America as implemented by the
United States

Department of State Office of Defense Trade Controls.  The PGP
signature information will be attached to the end of ASSIST bulletins.

Reference herein to any specific commercial product, process, or
service by trade name, trademark manufacturer, or otherwise, does not
constitute or imply its endorsement, recommendation, or favoring by
ASSIST.  The views and opinions of authors expressed herein shall not
be used for advertising or product endorsement purposes.