Date: 02 August 2002
References: ESB-2002.381 ESB-2002.390
Click here for printable version
Click here for PGP verifiable version
-----BEGIN PGP SIGNED MESSAGE-----
===========================================================================
A U S C E R T A L E R T
AL-2002.10 -- AUSCERT ALERT
OpenSSH Security Advisory - Trojaned Distribution Files
2 August 2002
===========================================================================
AusCERT Alert Summary
---------------------
The message included below is an advisory published by OpenSSH regarding
trojaned versions of their SSH implementation (openssh). The trojan was
discovered on the 1st of August, and appears to have been available for two
or three days prior. Anyone who upgraded or installed openssh between July
30 and August 1 is encouraged to read the following advisory.
- --------------------------BEGIN INCLUDED TEXT--------------------
OpenSSH Security Advisory (adv.trojan)
1. Systems affected:
OpenSSH version 3.2.2p1, 3.4p1 and 3.4 have been trojaned on the
OpenBSD ftp server and potentially propagated via the normal mirroring
process to other ftp servers. The code was inserted some time between
the 30th and 31th of July. We replaced the trojaned files with their
originals at 7AM MDT, August 1st.
2. Impact:
Anyone who has installed OpenSSH from the OpenBSD ftp server or any
mirror within that time frame should consider his system compromised.
The trojan allows the attacker to gain control of the system as the
user compiling the binary. Arbitrary commands can be executed.
3. Solution:
Verify that you did not build a trojaned version of the sources. The
portable SSH tar balls contain PGP signatures that should be verified
before installation. You can also use the following MD5 checksums for
verification.
MD5 (openssh-3.4p1.tar.gz) = 459c1d0262e939d6432f193c7a4ba8a8
MD5 (openssh-3.4p1.tar.gz.sig) = d5a956263287e7fd261528bb1962f24c
MD5 (openssh-3.4.tgz) = 39659226ff5b0d16d0290b21f67c46f2
MD5 (openssh-3.2.2p1.tar.gz) = 9d3e1e31e8d6cdbfa3036cb183aa4a01
MD5 (openssh-3.2.2p1.tar.gz.sig) = be4f9ed8da1735efd770dc8fa2bb808a
4. Details
When building the OpenSSH binaries, the trojan resides in bf-test.c
and causes code to execute which connects to a specified IP address.
The destination port is normally used by the IRC protocol. A
connection attempt is made once an hour. If the connection is
successful, arbitrary commands may be executed.
Three commands are understood by the backdoor:
Command A: Kill the exploit.
Command D: Execute a command.
Command M: Go to sleep.
5. Notice:
Because of the urgency of this issue, the advisory may not be
complete. Updates will be posted to the OpenSSH web pages if
necessary.
- --------------------------END INCLUDED TEXT--------------------
This alert is provided as a service to AusCERT's members. As AusCERT did
not write the document quoted above, AusCERT has had no control over its
content. The decision to use any or all of this information is the
responsibility of each user or organisation, and should be done so in
accordance with site policies and procedures.
NOTE: This is only the original release of the alert. It may not be
updated when updates to the original are made. If downloading at a later
date, it is recommended that the alert is retrieved directly from the
original authors to ensure that the information is still current.
Contact information for the authors of the original document is included
in the alert above. If you have any questions or need further information,
please contact them directly.
Previous advisories, alerts and external security bulletins can be
retrieved from:
http://www.auscert.org.au/Information/advisories.html
If you believe that your system has been compromised, contact AusCERT or
your representative in FIRST (Forum of Incident Response and Security
Teams).
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
-----BEGIN PGP SIGNATURE-----
Version: 2.6.3i
Charset: noconv
Comment: ftp://ftp.auscert.org.au/pub/auscert/AUSCERT_PGP.key
iQCVAwUBPUpXxih9+71yA2DNAQHHsQP+NKBduUzkMjl8KIAT9Ute1HcnK3hib1GM
ka/uYSvfIX3kGDExLEk4wbSNUeFUdnOPiFg0SxqMmbPGaxH/c7Vl6Wtf7/2zBfjr
6qwTdc+ryt6j/ga736+UVLcD7a9u949W8+Q/xnf5hbATJ6mHDz67/ik4jQn1lqfK
5Gyn3voD+Yo=
=P/Ju
-----END PGP SIGNATURE-----
|