[TriLUG] Fwd: OpenSSH Security Advisory: Trojaned Distribution Files
Mike Johnson
mike at enoch.org
Thu Aug 1 11:58:33 EDT 2002
In case anyone missed this...
Mike
----- Forwarded message from Niels Provos <provos at citi.umich.edu> -----
> Date: Thu, 1 Aug 2002 11:23:27 -0400
> From: Niels Provos <provos at citi.umich.edu>
> Mail-Followup-To: openssh-unix-dev at mindrot.org
> To: openssh-unix-dev at mindrot.org
> Delivered-To: mike at enoch.org
> Subject: OpenSSH Security Advisory: Trojaned Distribution Files
> User-Agent: Mutt/1.3.27i
> Errors-To: openssh-unix-dev-admin at mindrot.org
> X-BeenThere: openssh-unix-dev at mindrot.org
> X-Mailman-Version: 2.0.8
> Precedence: bulk
> List-Help: <mailto:openssh-unix-dev-request at mindrot.org?subject=help>
> List-Post: <mailto:openssh-unix-dev at mindrot.org>
> List-Subscribe: <http://www.mindrot.org/mailman/listinfo/openssh-unix-dev>,
> <mailto:openssh-unix-dev-request at mindrot.org?subject=subscribe>
> List-Id: Development of portable OpenSSH <openssh-unix-dev.mindrot.org>
> List-Unsubscribe: <http://www.mindrot.org/mailman/listinfo/openssh-unix-dev>,
> <mailto:openssh-unix-dev-request at mindrot.org?subject=unsubscribe>
> List-Archive: <http://www.mindrot.org/pipermail/openssh-unix-dev/>
> X-Sorted: Bulk
>
> OpenSSH Security Advisory (adv.trojan)
>
> 1. Systems affected:
>
> OpenSSH version 3.2.2p1, 3.4p1 and 3.4 have been trojaned on the
> OpenBSD ftp server and potentially propagated via the normal mirroring
> process to other ftp servers. The code was inserted some time between
> the 30th and 31th of July. We replaced the trojaned files with their
> originals at 7AM MDT, August 1st.
>
> 2. Impact:
>
> Anyone who has installed OpenSSH from the OpenBSD ftp server or any
> mirror within that time frame should consider his system compromised.
> The trojan allows the attacker to gain control of the system as the
> user compiling the binary. Arbitrary commands can be executed.
>
> 3. Solution:
>
> Verify that you did not build a trojaned version of the sources. The
> portable SSH tar balls contain PGP signatures that should be verified
> before installation. You can also use the following MD5 checksums for
> verification.
>
> MD5 (openssh-3.4p1.tar.gz) = 459c1d0262e939d6432f193c7a4ba8a8
> MD5 (openssh-3.4p1.tar.gz.sig) = d5a956263287e7fd261528bb1962f24c
> MD5 (openssh-3.4.tgz) = 39659226ff5b0d16d0290b21f67c46f2
> MD5 (openssh-3.2.2p1.tar.gz) = 9d3e1e31e8d6cdbfa3036cb183aa4a01
> MD5 (openssh-3.2.2p1.tar.gz.sig) = be4f9ed8da1735efd770dc8fa2bb808a
>
> 4. Details
>
> When building the OpenSSH binaries, the trojan resides in bf-test.c
> and causes code to execute which connects to a specified IP address.
> The destination port is normally used by the IRC protocol. A
> connection attempt is made once an hour. If the connection is
> successful, arbitrary commands may be executed.
>
> Three commands are understood by the backdoor:
>
> Command A: Kill the exploit.
> Command D: Execute a command.
> Command M: Go to sleep.
>
> 5. Notice:
>
> Because of the urgency of this issue, the advisory may not be
> complete. Updates will be posted to the OpenSSH web pages if
> necessary.
----- End forwarded message -----
--
"Let the power of Ponch compel you! Let the power of Ponch compel you!"
-- Zorak on Space Ghost
GNUPG Key fingerprint = ACD2 2F2F C151 FB35 B3AF C821 89C4 DF9A 5DDD 95D1
GNUPG Key = http://www.enoch.org/mike/mike.pubkey.asc
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 230 bytes
Desc: not available
URL: <http://www.trilug.org/pipermail/trilug/attachments/20020801/1fe84bd0/attachment.pgp>
More information about the TriLUG
mailing list