Date: Thu, 1 Aug 2002 11:18:12 -0400
From: Niels Provos <[email protected]>
To: [email protected]Subject: OpenSSH Security Advisory: Trojaned Distribution Files
--OgqxwSJOaUobr8KG
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable
OpenSSH Security Advisory (adv.trojan)
1. Systems affected:
OpenSSH version 3.2.2p1, 3.4p1 and 3.4 have been trojaned on the
OpenBSD ftp server and potentially propagated via the normal mirroring
process to other ftp servers. The code was inserted some time between
the 30th and 31th of July. We replaced the trojaned files with their
originals at 7AM MDT, August 1st.
2. Impact:
Anyone who has installed OpenSSH from the OpenBSD ftp server or any
mirror within that time frame should consider his system compromised.
The trojan allows the attacker to gain control of the system as the
user compiling the binary. Arbitrary commands can be executed.
3. Solution:
Verify that you did not build a trojaned version of the sources. The
portable SSH tar balls contain PGP signatures that should be verified
before installation. You can also use the following MD5 checksums for
verification.
MD5 (openssh-3.4p1.tar.gz) =3D 459c1d0262e939d6432f193c7a4ba8a8=20
MD5 (openssh-3.4p1.tar.gz.sig) =3D d5a956263287e7fd261528bb1962f24c
MD5 (openssh-3.4.tgz) =3D 39659226ff5b0d16d0290b21f67c46f2
MD5 (openssh-3.2.2p1.tar.gz) =3D 9d3e1e31e8d6cdbfa3036cb183aa4a01
MD5 (openssh-3.2.2p1.tar.gz.sig) =3D be4f9ed8da1735efd770dc8fa2bb808a
4. Details
When building the OpenSSH binaries, the trojan resides in bf-test.c
and causes code to execute which connects to a specified IP address.
The destination port is normally used by the IRC protocol. A
connection attempt is made once an hour. If the connection is
successful, arbitrary commands may be executed.
Three commands are understood by the backdoor:
Command A: Kill the exploit.
Command D: Execute a command.
Command M: Go to sleep.
5. Notice:
Because of the urgency of this issue, the advisory may not be
complete. Updates will be posted to the OpenSSH web pages if
necessary.
--OgqxwSJOaUobr8KG
Content-Type: application/pgp-signature
Content-Disposition: inline
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (OpenBSD)
Comment: For info see http://www.gnupg.org
iQEVAwUBPUlRNDZ8FqYKL4flAQHVQQgAi88o43SftqLHXvkn/J0yKYjKsNf42yoB
KXfLrFDD7DeYFNnXUol5XLVvjEpEkmSPIh/fXNXptkM8J7MXFcOMpzu0rb+3PMAo
K73r0MePJ++4SzYD4Qn0yz7TOGpaMHVfK1lUx6sHUx50yRYp6Mmt4f5vZenhGvOF
REhcsvaNBBGHyHo7dnqIy+viupR4QkaeZ0aeIgbSoQhilYclzw5MwK2PwK/9MV1r
RuL1UAhA2oG0nlM0f9fYcI5iWDuMDq5XC+oqWXOJ0ivMyyoQeL7Mh4IIm1wNV55Q
f2eThXAVPkC+d1KifUJOa01DUwxwHYIwdnaEaEUUCde37JGsnAvWIg==
=s0fY
-----END PGP SIGNATURE-----
--OgqxwSJOaUobr8KG--
