[gentoo-dev] possible trojan in openssh-3.4p1

[gentoo-dev] possible trojan in openssh-3.4p1

[Rob Kaper]

Pat, Neil, Gentoo devs, KDE friends:

>From #kde-freebsd:

<knu> ftp://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-3.4p1.tar.gz is trojaned
<tap> nothing on google either
<knu> steals /etc/passwd to send to a certain IRC network and removes itself
<Capzilla> knu : says who
<knu> see the code, but never run make
<knu> openbsd-compat/{Makefile.in,bf-test.c}

Looks like some weird stuff is in there indeed.

md5sum of the binary that appears to be trojaned:

3ac9bc346d736b4a51d676faa2a08a57  openssh-3.4p1.tar.gz

As far as I can see, compiled binaries are *not* affected, but you might
want to carefully examin this more closely (I'm waiting with upgradepkg en
emerge on my systems until there's some more info). We've had a few hoaxes
recently, but this looks suspicious.

My apologies if this is just a storm in a glass of water.

Rob
-- 
Rob Kaper     | Gimme some love, gimme some skin,
cap@capsi.com | if we ain't got that then we ain't got much
www.capsi.com | and we ain't got nothing, nothing! -- "Nothing" by A

Re: [gentoo-dev] possible trojan in openssh-3.4p1

[Rob Kaper]

On Thursday 01 August 2002 10:37, Rob Kaper wrote:
> My apologies if this is just a storm in a glass of water.

And for the double post, posted from home first, realized I subscribed at
work, posted there, to see my home post make it anyway.

Rob

Re: [gentoo-dev] possible trojan in openssh-3.4p1

[Vitaly Kushneriuk]

On Thu, 2002-08-01 at 11:37, Rob Kaper wrote:
> Pat, Neil, Gentoo devs, KDE friends:
> 
> >From #kde-freebsd:
> 
> <knu> ftp://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-3.4p1.tar.gz is trojaned
> <tap> nothing on google either
> <knu> steals /etc/passwd to send to a certain IRC network and removes itself
> <Capzilla> knu : says who
> <knu> see the code, but never run make
> <knu> openbsd-compat/{Makefile.in,bf-test.c}
> 
> Looks like some weird stuff is in there indeed.
> 
> md5sum of the binary that appears to be trojaned:
> 
> 3ac9bc346d736b4a51d676faa2a08a57  openssh-3.4p1.tar.gz
> 
> As far as I can see, compiled binaries are *not* affected, but you might
> want to carefully examin this more closely (I'm waiting with upgradepkg en
> emerge on my systems until there's some more info). We've had a few hoaxes
> recently, but this looks suspicious.
> 
> My apologies if this is just a storm in a glass of water.
> 
> Rob
> -- 
> Rob Kaper     | Gimme some love, gimme some skin,
> cap@capsi.com | if we ain't got that then we ain't got much
> www.capsi.com | and we ain't got nothing, nothing! -- "Nothing" by A
> _______________________________________________
> gentoo-dev mailing list
> gentoo-dev@gentoo.org
> http://lists.gentoo.org/mailman/listinfo/gentoo-dev
> 
It's indeed looks like a trojan. It doesn't send you'r etc/passwd tho.
It connects to the 203.62.158.32[web.snsonline.net.] port 6667[irc]
and opens shell session on that connection, so that whoever is in
control there will be able to execute arbitraty commands on your system
with you'r current privileges. especialy dangerouus if you compile as
root.

	/Vitaly.

Re: [gentoo-dev] possible trojan in openssh-3.4p1

[Eric Noack]

Am 01 Aug 2002 12:18:53 +0300
schrieb Vitaly Kushneriuk <vitaly_kushneriuk@yahoo.com>:

> It's indeed looks like a trojan. It doesn't send you'r etc/passwd tho.
> It connects to the 203.62.158.32[web.snsonline.net.] port 6667[irc]
> and opens shell session on that connection, so that whoever is in
> control there will be able to execute arbitraty commands on your system
> with you'r current privileges. especialy dangerouus if you compile as
> root.

im not so big into the code, but the file @ ibiblio.org seems to be ok

ftp://ibiblio.org/pub/Linux/distributions/gentoo/distfiles/openssh-3.4p1.tar.gz

-rw-r--r--    1 raven    users      837668 08-01 12:06
openssh-3.4p1.tar.gz.ibiblio.org
-rw-r--r--    1 raven    users      840574 08-01 11:46 openssh-3.4p1.tar.gz.dangerous_from.ftp.openbsd.org
-rw-r--r--    1 root     root       837668 08-01 11:35
openssh-3.4p1.tar.gz.ok

see the different sizes? interesting. that says enough.

however the file mentionen (openbsd-compat/bf-test.c) doesnt exist in the ibiblio version
so i hope this one is clean.


such thing must never happen!


Corvus Corax

Re: [gentoo-dev] possible trojan in openssh-3.4p1

[Terje Kvernes]

Vitaly Kushneriuk <vitaly_kushneriuk@yahoo.com> writes:

> On Thu, 2002-08-01 at 11:37, Rob Kaper wrote:
>
> > Pat, Neil, Gentoo devs, KDE friends:

  [ ... ]

> > <knu> see the code, but never run make
> > <knu> openbsd-compat/{Makefile.in,bf-test.c}

  hm.  can someone tell me what is up with bf-test.c?  these char
  datas are rather unreadable to me.
 
> > Looks like some weird stuff is in there indeed.
> > 
> > md5sum of the binary that appears to be trojaned:
> > 
> > 3ac9bc346d736b4a51d676faa2a08a57  openssh-3.4p1.tar.gz
> > 
> > As far as I can see, compiled binaries are *not* affected, but you
> > might want to carefully examin this more closely (I'm waiting with
> > upgradepkg en emerge on my systems until there's some more
> > info). We've had a few hoaxes recently, but this looks suspicious.
> > 
> > My apologies if this is just a storm in a glass of water.
>  
> It's indeed looks like a trojan. It doesn't send you'r etc/passwd
> tho.  It connects to the 203.62.158.32[web.snsonline.net.] port
> 6667[irc] and opens shell session on that connection, so that
> whoever is in control there will be able to execute arbitraty
> commands on your system with you'r current privileges. especialy
> dangerouus if you compile as root.

  ick.  can someone confirm this trojan?

-- 
Terje

Re: [gentoo-dev] possible trojan in openssh-3.4p1

[Rob Kaper]

On Thursday 01 August 2002 12:34, Terje Kvernes wrote:
>   hm.  can someone tell me what is up with bf-test.c?  these char
>   datas are rather unreadable to me.

>   ick.  can someone confirm this trojan?

http://docs.freebsd.org/cgi/getmsg.cgi?fetch=394609+0+current/freebsd-security

Rob

Re: [gentoo-dev] possible trojan in openssh-3.4p1

[Terje Kvernes]

Rob Kaper <rkaper@ism.nl> writes:

> On Thursday 01 August 2002 12:34, Terje Kvernes wrote:
> >   hm.  can someone tell me what is up with bf-test.c?  these char
> >   datas are rather unreadable to me.
> 
> >   ick.  can someone confirm this trojan?
> 
> http://docs.freebsd.org/cgi/getmsg.cgi?fetch=394609+0+current/freebsd-security

  thank you.  of sorts.  *sigh* 

-- 
Terje

Re: [gentoo-dev] possible trojan in openssh-3.4p1

[Terje Kvernes]

Bastian Fuchs <bastiaf@gmx.de> writes:

> Yesterday I updated my system, openssh too. I know, that there are
> problems with some downloads. Know I want to know, from which server
> openssh was downloaded. Are there portage logfiles for downloads,
> tested checksums?

  if the checksum differ, which it would have, emerge will abort.
  although, emerge logs do sound like a very good idea.

-- 
Terje

Re: [gentoo-dev] possible trojan in openssh-3.4p1

[Rob Kaper]

On Thursday 01 August 2002 15:35, Terje Kvernes wrote:
>   if the checksum differ, which it would have, emerge will abort.
>   although, emerge logs do sound like a very good idea.

For optimum security, emerge should check checksums from different locations. 
One or two trusted servers (often even the same as the one where the files 
reside, although that might not be true for gentoo) can be compromised too 
easily.

Rob

Re: [gentoo-dev] possible trojan in openssh-3.4p1

[Spider]

[-- Attachment #1: Type: text/plain, Size: 835 bytes --]

begin  quote
On Thu, 1 Aug 2002 15:39:05 +0200
Rob Kaper <rkaper@ism.nl> wrote:

> On Thursday 01 August 2002 15:35, Terje Kvernes wrote:
> >   if the checksum differ, which it would have, emerge will abort.
> >   although, emerge logs do sound like a very good idea.
> 
> For optimum security, emerge should check checksums from different
> locations. One or two trusted servers (often even the same as the one
> where the files reside, although that might not be true for gentoo)
> can be compromised too easily.
> 
> Rob
> 
actually portage compares to the one in the portage tree, which is
concidered "safe" as its not related to the servers where the binaries
are located.

//Spider


--
begin  .signature
This is a .signature virus! Please copy me into your .signature!
See Microsoft KB Article Q265230 for more information.
end

[-- Attachment #2: Type: application/pgp-signature, Size: 189 bytes --]

Re: [gentoo-dev] possible trojan in openssh-3.4p1

[Johannes Findeisen]

On Thursday 01 August 2002 15:39, Rob Kaper wrote:
> On Thursday 01 August 2002 15:35, Terje Kvernes wrote:
> >   if the checksum differ, which it would have, emerge will abort.
> >   although, emerge logs do sound like a very good idea.
>
> For optimum security, emerge should check checksums from different
> locations. One or two trusted servers (often even the same as the one where
> the files reside, although that might not be true for gentoo) can be
> compromised too easily.

if this should be a option in portage, we always need to download two files 
from two servers to check if the md5sum are the same... :-(
IMO it is good as it is. the gentoo-core team are providing a md5sum in the 
portage tree and that should be enough.

regards
hanez... ;-)

-- 
begin  .signature
question: is it a feature to execute code in emails?
	i don't think so!
end

Re: [gentoo-dev] Re: possible trojan in openssh-3.4p1

[Johannes Findeisen]

> as far as the above suggestion made by Terje is concerned You're right.
> Distributed checks could easily lead to "confusion", especially working
> with mirrors. But MD5 alone IS a joke when it comes to _security_
> (here: proof of origin/unmodified developer version). It's quite good
> to check file corruption during data transfer. But that's it in my
> eyes. If one wants secure "origin" checks there's the need for gpg
> signing or something alike. Just using md5 someone who got write access
> to a portage-server could easily regenerate the sum and paste it into
> the ebuild including a modified SRC-URL.

yeah you're right. but AFAIK are the gentoo rsync mirrors being updated every 
30 minutes. so if anyone is interested in putting some hacked versions in 
there, he could do that but will destroy every changes after mirroring the 
portage tree again. hmmm... but you're right!!! all people who are providing 
mirrors are in the position to make such things.

well there are ways to do it but we have only one "master" of rsync servers so 
all the others will be updatet from this one. i think and hope it is this 
way...

trust no one
hanez... ;-)
-- 
begin  .signature
question: is it a feature to execute code in emails?
	i don't think so!
end

[gentoo-dev] Re: possible trojan in openssh-3.4p1

[A.Waschbuesch]

Johannes Findeisen wrote:

> On Thursday 01 August 2002 15:39, Rob Kaper wrote:
>> On Thursday 01 August 2002 15:35, Terje Kvernes wrote:
>> >   if the checksum differ, which it would have, emerge will abort.
>> >   although, emerge logs do sound like a very good idea.
>>
>> For optimum security, emerge should check checksums from different
>> locations. One or two trusted servers (often even the same as the one
>> where the files reside, although that might not be true for gentoo)
>> can be compromised too easily.
> 
> if this should be a option in portage, we always need to download two
> files from two servers to check if the md5sum are the same... :-(
> IMO it is good as it is. the gentoo-core team are providing a md5sum
> in the portage tree and that should be enough.
> 

Hi Johannes,

as far as the above suggestion made by Terje is concerned You're right. 
Distributed checks could easily lead to "confusion", especially working 
with mirrors. But MD5 alone IS a joke when it comes to _security_ 
(here: proof of origin/unmodified developer version). It's quite good 
to check file corruption during data transfer. But that's it in my 
eyes. If one wants secure "origin" checks there's the need for gpg 
signing or something alike. Just using md5 someone who got write access 
to a portage-server could easily regenerate the sum and paste it into 
the ebuild including a modified SRC-URL.

OK. "Even" the OpenBSD devel core team didn't manage to integrate 
private keys that way (maybe in general they're chaotic). One big 
problem handling this would be/is/was the key availability for people 
downloading files ... at least it's like that dealing with some of the 
OBSD dev-staff ...

Andrew

-- 
Andreas Waschbuesch, GAUniversity KG MA FNZ FK01
eMail: awaschb@gwdg.de

Pete:   Waiter, this meat is bad.
Waiter: Who told you?
Pete:   A little swallow.

[gentoo-dev] Re: Re: possible trojan in openssh-3.4p1

[A.Waschbuesch]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Johannes Findeisen wrote:

> [ md5 unsecure / mirror tactics ] 
> 
> well there are ways to do it but we have only one "master" of rsync
> servers so all the others will be updatet from this one. i think and
> hope it is this way...

I see. The more I hope that master's gonna  stay clean ...

> trust no one

Who are You?

> hanez... ;-)

Andrew

- -- 
Andreas Waschbuesch, GAUniversity KG MA FNZ FK01
eMail: awaschb@gwdg.de

I have made mistakes but I have never made the mistake of claiming
that I have never made one.
                -- James Gordon Bennett

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.7 (GNU/Linux)

iD8DBQE9S7MX2s5UCjOaQbYRAtWTAJ9O/QJM7oUrLstsK5D/trXg2l/GMQCfX+mw
NyvNtm3SFlk5bEwS4+Ujt78=
=bsC+
-----END PGP SIGNATURE-----

Re: [gentoo-dev] possible trojan in openssh-3.4p1

[Jean-Michel Smith]

On Friday 02 August 2002 02:36 am, Johannes Findeisen wrote:

> if this should be a option in portage, we always need to download two files
> from two servers to check if the md5sum are the same... :-(
> IMO it is good as it is. the gentoo-core team are providing a md5sum in the
> portage tree and that should be enough.

Until it isn't, which is going to happen, sooner or later.

Ideally each developer would GPG sign their source tarballs (and have their 
public keys available from several independent locations, such as 
key-servers, a public key-ring available for download, and purchase on CDR).

But at the very least, Gentoo should have a public keyring available (again, 
from multiple sources to insure the keyring itself hasn't been modified), and 
each ebuild and digest file should be cryptographically signed.  Emerge 
should check those signatures and validate them before installing an ebuild.

If this issue isn't addressed in some fashion, it really only becomes a 
question of time before Gentoo is trojanned via the ebuild/emerge process, 
and the entire distro gets a big black eye as a result, and then addresses 
these concerns anyway.

Why not do it proactively instead?

Jean.

[gentoo-dev] Re: possible trojan in openssh-3.4p1

[A.Waschbuesch]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Jean-Michel Smith wrote:

> [gpg signing on ebuilds, devel-sources etc.]
> [distributed keys, available key-servers etc.]
> 
> Why not do it proactively instead?

I would applaud thee to the very echo, 
That should applaud again.

Andrew

- -- 
Andreas Waschbuesch, GAUniversity KG MA FNZ FK01
eMail: awaschb@gwdg.de

In order to get a loan you must first prove you don't need it.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.7 (GNU/Linux)

iD8DBQE9TBDF2s5UCjOaQbYRAp+tAJ96EJPkm/BzKttFjvI7EdvtC9t99ACePabZ
6urVjK7NNs/Ait+0EK+Krvo=
=WLJM
-----END PGP SIGNATURE-----