Results 1 to 2 of 2

Thread: Ssh

  1. #1
    Junior Member
    Join Date
    May 2002
    Posts
    22

    Ssh

    SSH, everyone's favorite nifty remote commandline tool. Recently there was a bit of a panic when people realized there was a vulnerability in the current version, and sysadmins rushed to upgrade to a brand-new version with a fix. If this was you, you might want to pay attention: the latest version has been [glowpurple]trojaned[/glowpurple] .

    The incidents@securityfocus.com mailing list was notified early this morning. The guy who discovered the trojan has a weblog, which is over its bandwidth limitations for the moment thanks to Slashdot. Also thanks to Slashdot, a karma-whoring copy of the revelant info on that weblog is available. We owe it all to MD5 checksumming.
    Yo, sup

  2. #2
    Senior Member
    Join Date
    Sep 2001
    Posts
    1,027
    To be more exact:

    From: Niels Provos
    To: security-announce@openbsd.org, misc@openbsd.org,
    announce@openbsd.org
    Subject: OpenSSH Security Advisory: Trojaned Distribution Files
    Date: Thu, 1 Aug 2002 11:19:49 -0400

    OpenSSH Security Advisory (adv.trojan)

    1. Systems affected:

    OpenSSH version 3.2.2p1, 3.4p1 and 3.4 have been trojaned on the
    OpenBSD ftp server and potentially propagated via the normal mirroring
    process to other ftp servers. The code was inserted some time between
    the 30th and 31th of July. We replaced the trojaned files with their
    originals at 7AM MDT, August 1st.

    2. Impact:

    Anyone who has installed OpenSSH from the OpenBSD ftp server or any
    mirror within that time frame should consider his system compromised.
    The trojan allows the attacker to gain control of the system as the
    user compiling the binary. Arbitrary commands can be executed.

    3. Solution:

    Verify that you did not build a trojaned version of the sources. The
    portable SSH tar balls contain PGP signatures that should be verified
    before installation. You can also use the following MD5 checksums for
    verification.

    MD5 (openssh-3.4p1.tar.gz) = 459c1d0262e939d6432f193c7a4ba8a8
    MD5 (openssh-3.4p1.tar.gz.sig) = d5a956263287e7fd261528bb1962f24c
    MD5 (openssh-3.4.tgz) = 39659226ff5b0d16d0290b21f67c46f2
    MD5 (openssh-3.2.2p1.tar.gz) = 9d3e1e31e8d6cdbfa3036cb183aa4a01
    MD5 (openssh-3.2.2p1.tar.gz.sig) = be4f9ed8da1735efd770dc8fa2bb808a

    4. Details

    When building the OpenSSH binaries, the trojan resides in bf-test.c
    and causes code to execute which connects to a specified IP address.
    The destination port is normally used by the IRC protocol. A
    connection attempt is made once an hour. If the connection is
    successful, arbitrary commands may be executed.

    Three commands are understood by the backdoor:

    Command A: Kill the exploit.
    Command D: Execute a command.
    Command M: Go to sleep.

    5. Notice:

    Because of the urgency of this issue, the advisory may not be
    complete. Updates will be posted to the OpenSSH web pages if
    necessary.
    Credit travels up, blame travels down -- The Boss

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •