From owner-freebsd-security Thu Aug 1 8:25:21 2002 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id DC2F437B400 for ; Thu, 1 Aug 2002 08:25:15 -0700 (PDT) Received: from citi.umich.edu (citi.umich.edu [141.211.92.141]) by mx1.FreeBSD.org (Postfix) with ESMTP id 79E5D43E42 for ; Thu, 1 Aug 2002 08:25:15 -0700 (PDT) (envelope-from provos@citi.umich.edu) Received: by citi.umich.edu (Postfix, from userid 104123) id 85495207C3; Thu, 1 Aug 2002 11:25:11 -0400 (EDT) Date: Thu, 1 Aug 2002 11:25:11 -0400 From: Niels Provos To: freebsd-security@freebsd.org Subject: OpenSSH Security Advisory: Trojaned Distribution Files Message-ID: <20020801152511.GJ6925@citi.citi.umich.edu> Mail-Followup-To: freebsd-security@freebsd.org Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-md5; protocol="application/pgp-signature"; boundary="tmoQ0UElFV5VgXgH" Content-Disposition: inline User-Agent: Mutt/1.3.27i Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org --tmoQ0UElFV5VgXgH Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable OpenSSH Security Advisory (adv.trojan) 1. Systems affected: OpenSSH version 3.2.2p1, 3.4p1 and 3.4 have been trojaned on the OpenBSD ftp server and potentially propagated via the normal mirroring process to other ftp servers. The code was inserted some time between the 30th and 31th of July. We replaced the trojaned files with their originals at 7AM MDT, August 1st. 2. Impact: Anyone who has installed OpenSSH from the OpenBSD ftp server or any mirror within that time frame should consider his system compromised. The trojan allows the attacker to gain control of the system as the user compiling the binary. Arbitrary commands can be executed. 3. Solution: Verify that you did not build a trojaned version of the sources. The portable SSH tar balls contain PGP signatures that should be verified before installation. You can also use the following MD5 checksums for verification. MD5 (openssh-3.4p1.tar.gz) =3D 459c1d0262e939d6432f193c7a4ba8a8=20 MD5 (openssh-3.4p1.tar.gz.sig) =3D d5a956263287e7fd261528bb1962f24c MD5 (openssh-3.4.tgz) =3D 39659226ff5b0d16d0290b21f67c46f2 MD5 (openssh-3.2.2p1.tar.gz) =3D 9d3e1e31e8d6cdbfa3036cb183aa4a01 MD5 (openssh-3.2.2p1.tar.gz.sig) =3D be4f9ed8da1735efd770dc8fa2bb808a 4. Details When building the OpenSSH binaries, the trojan resides in bf-test.c and causes code to execute which connects to a specified IP address. The destination port is normally used by the IRC protocol. A connection attempt is made once an hour. If the connection is successful, arbitrary commands may be executed. Three commands are understood by the backdoor: Command A: Kill the exploit. Command D: Execute a command. Command M: Go to sleep. 5. Notice: Because of the urgency of this issue, the advisory may not be complete. Updates will be posted to the OpenSSH web pages if necessary. --tmoQ0UElFV5VgXgH Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.6 (OpenBSD) Comment: For info see http://www.gnupg.org iQEVAwUBPUlS1zZ8FqYKL4flAQH+hggAtovk2Gniptltsj9aBa2CpeLJuRm5lKq0 JgVcTer+qb4yszNxeE2/cbi5LERoF/MC3dkNELnf7MMJnAc4u3/Ibu0NRRp5UzNt nqhdshjm7vhepZftOJrbTNT7QwlmkoQdNsape8cm/JOGqx0y3sPpy3g+6ymdBdkL 4KX/RTXNAksW0jWUP7+xILNvxGk8CyJrRtheSKIdIpKphU7zlltHbceqIL47UeXt KInJzEabQ3i0WtoAV1qrUH3toKiqxRl7XHstuUGGu4G/R/plzqaGWKaR+qI5VYda PPg+J9iT53VjZYoxuyiD8sBOnIVPfcBTY9ws6OetNY5S/qDIZvX6WQ== =cpyg -----END PGP SIGNATURE----- --tmoQ0UElFV5VgXgH-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message