From owner-csa@sprocket.nosc.MIL Sat Feb 27 14:42:44 1999 From: owner-csa@sprocket.nosc.MIL To: CSA-List@sprocket.nosc.MIL Date: Thu, 28 Jan 1999 08:04:33 -0500 Subject: IAVA 1999-0002 TCP Wrappers Trojan Vulnerability Automated Systems Security Incident Support Team (ASSIST) Advisory 1999-0002 Release date: 21 Jan 1999 Revised date: 22 Jan 1999 TOPIC: TCP Wrappers Trojan DESCRIPTION: ASSIST has been notified that the primary distribution site for TCP Wrappers v7.6 (Netherlands) was recently compromised. This particular site is used to propagate copies to numerous mirror sites all over the world. The distribution files were modified to include a trojan payload. This code will allow a remote intruder to gain root access to any system with an installed copy. TCP Wrappers is one of the most recommended security tools on the net. Its use is still recommended, but sites should always verify the attached PGP signature to verify the software is valid. PLATFORM: Any system with a recent installation of TCP Wrappers (primarily UNIX systems) IMPACT: An intruder could exploit the trojan to gain unrestricted access to a system. SOLUTION: Verify that your systems have not recently installed a copy of TCP Wrappers. If you have recently installed TCP Wrappers (since 19 January 1999) then 1. The distribution file's (.tar.gz) correct length is 99438 bytes. The modified file's length is 99186 bytes. 2. Verify the MD5 signature of the package (tcp_wrappers_7.6.tar.gz) compromised package: af7f76fb9960a95a1341c1777b48f1df correct package: e6fa25f71226d090f34de3f6b122fb5a ** Check 2 is a replacement for the port check. The trojan code does NOT open port 421. It does allow privileged access to any wrapped service when the client originates from source port 421. 3. Look in the TCP Wrappers source code for the following added line: grep "/bin/csh" tcpd.c 4. Review the binary code for the following signature strings tcpd |grep csh Any output should cause concern. If you believe that you have installed a trojan version of TCP Wrappers, please contact your respective CERT immediately. Legitimate copies of the software can be obtained from the ASSIST FTP server: ftp://ftp.assist.mil/pub/tools/tcp_wrappers ___________________________ ASSIST CONTACT INFORMATION: NIPRNET E-mail: assist@assist.mil SIPRNET E-mail: assist@assist.disa.smil.mil Phone: (800)-357-4231 (DSN 327-4700) 24 hour hotline Fax: (703) 607-4735 (DSN 327-4735) Unclassified ASSIST Bulletins, tools and other security related information are available from: http://www.assist.mil/ http://www.assist.disa.smil.mil ftp://ftp.assist.mil/ ____ OTHER DoD CERT CONTACT INFORMATION: Air Force CERT Phone: (800) 854-0187 Air Force CERT Email: afcert@afcert.csap.af.mil Navy CIRT Phone: (800) 628-8893 Navy CIRT Email: navcirt@fiwc.navy.mil Army CERT Phone: (888) 203-6332 Army CERT Email: acert@vulcan.belvoir.army.mil Back issues of ASSIST bulletins, and other security related information, through anonymous FTP from ftp.assist.mil (IP address 199.211.123.12). Note: ftp.assist.mil will only accept anonymous FTP connections from NIPRNET addresses that are registered with the NIC or DNS. If your system is not registered, you must provide your NIPRNET IP address to ASSIST before access can be provided. ASSIST uses Pretty Good Privacy (PGP) as the digital signature mechanism for bulletins. PGP incorporates the RSAREF(tm) Cryptographic Toolkit under license from RSA Data Security, Inc. A copy of that license is available via anonymous FTP from net-dist.mit.edu (IP 18.72.0.3) in the file /pub/PGP/rsalicen.txt. In accordance with the terms of that license, PGP may be used for non-commercial purposes only. Instructions for downloading the PGP software can also be obtained from net-dist.mit.edu in the pub/PGP/README file. PGP and RSAREF may be subject to the export control laws of the United States of America as implemented by the United States Department of State Office of Defense Trade Controls. The PGP signature information will be attached to the end of ASSIST bulletins. Reference herein to any specific commercial product, process, or service by trade name, trademark manufacturer, or otherwise, does not constitute or imply its endorsement, recommendation, or favoring by ASSIST. The views and opinions of authors expressed herein shall not be used for advertising or product endorsement purposes.