From owner-freebsd-stable  Sat Jul 21 16: 3: 8 2001
Delivered-To: freebsd-stable@freebsd.org
Received: from guru.mired.org (okc-27-141-144.mmcable.com [24.27.141.144])
	by hub.freebsd.org (Postfix) with SMTP id 6264537B405
	for <freebsd-stable@FreeBSD.ORG>; Sat, 21 Jul 2001 16:03:02 -0700 (PDT)
	(envelope-from mwm@mired.org)
Received: (qmail 49956 invoked by uid 100); 21 Jul 2001 23:03:01 -0000
From: Mike Meyer <mwm@mired.org>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
Message-ID: <15194.2597.335066.379263@guru.mired.org>
Date: Sat, 21 Jul 2001 18:03:01 -0500
To: "Chad R. Larson" <chad@DCFinc.com>
Cc: Chris Faulhaber <jedgar@fxp.org>, Tom <tom@uniserve.com>,
	admin@kremilek.gyrec.cz, freebsd-stable@FreeBSD.ORG
Subject: Re: probably remote exploit
In-Reply-To: <20010721140425.B18907@freeway.dcfinc.com>
References: <Pine.LNX.3.96.1010720174942.651C-100000@kremilek.gyrec.cz>
	<Pine.BSF.4.10.10107200923060.4917-100000@athena.uniserve.ca>
	<20010720111551.A12442@freeway.dcfinc.com>
	<20010720141820.C47930@peitho.fxp.org>
	<20010720140331.A12903@freeway.dcfinc.com>
	<15192.57986.777597.940024@guru.mired.org>
	<20010721140425.B18907@freeway.dcfinc.com>
X-Mailer: VM 6.90 under 21.1 (patch 14) "Cuyahoga Valley" XEmacs Lucid
X-face: "5Mnwy%?j>IIV\)A=):rjWL~NB2aH[}Yq8Z=u~vJ`"(,&SiLvbbz2W`;h9L,Yg`+vb1>RG%
 *h+%X^n0EZd>TM8_IB;a8F?(Fb"lw'IgCoyM.[Lg#r\
Sender: owner-freebsd-stable@FreeBSD.ORG
Precedence: bulk
List-ID: <freebsd-stable.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo@FreeBSD.ORG?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo@FreeBSD.ORG?subject=subscribe%20freebsd-stable>
List-Unsubscribe: <mailto:majordomo@FreeBSD.ORG?subject=unsubscribe%20freebsd-stable>
X-Loop: FreeBSD.ORG

Chad R. Larson <chad@DCFinc.com> types:
> > The bottom line is that you need to do the
> > cvsup/buildworld/installworld with binaries that you trust.  That
> > means either ones that were checksummed before the break-in, or ones
> > off a release cdrom.
> I still believe only the CVSup binary itself would have to be off a CD
> or match the checksum of a CD version (said checksum computed on some
> other machine, I suppose).

You may believe it, but the Thompson paper I referenced demonstrates
that it isn't so. He describes a compromised C compiler he built which
did two things that it shouldn't have:

	1) It added a back door to login, which allowed root access to
	   the machine.
	2) It added itself back to the C compiler if it wasn't already
	   there.

So with that compromise in place, you do a cvsup and get clean
sources. You recompile the compiler, and part two is triggered - your
new compiler is compromised as well. You now recompile login with the
"clean" compiler, and get a version with a back door in it.

Any build tool that is used in generating itself and some suid program
could be compromised in this way. Which pretty much means to be safe,
you need clean versions of all the build tools.

	<mike
--
Mike Meyer <mwm@mired.org>			http://www.mired.org/home/mwm/
Independent WWW/Perforce/FreeBSD/Unix consultant, email for more information.

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-stable" in the body of the message