Errata: CERT advisory seriously misleading

Date: Fri, 22 Jan 1999 14:42:18 +0100
From: Jochen Thomas Bauer (jtb@THEO2.PHYSIK.UNI-STUTTGART.DE)
To: BUGTRAQ@netspace.org
Subject: Misleading CERT Advisory CA-99-01-Trojan-TCP-Wrappers

-----BEGIN PGP SIGNED MESSAGE-----

Hello,

The latest CERT Advisory about TCPwrappers containing a trojan horse
(CA-99-01-Trojan-TCP-Wrappers) seems to be partially incorrect.

CERT Advisory CA-99-01-Trojan-TCP-Wrappers:

I. Description

   TCP Wrappers is a tool commonly used on Unix systems to monitor and
   filter connections to network services.
   [...]
   The Trojan horse version of TCP Wrappers provides root access to
   intruders on port 421. Additionally, upon compilation, this Trojan
   horse version sends email to an external address.
   [...]

III. Solution
   [...]
   As with any port, if you are not using port 421, we encourage you to
   filter it at your network perimeter.
   [...]


This suggests that an intruder has to connect to port 421/tcp to get a
root shell and therefore access to port 421/tcp should be blocked.
I guess that you have read Wietse Venema's mail that clearly states that
a root shell is obtained by connecting to a service that is started by
the TCPwrapper from(!) port 421.

>The backdoor gives access to a privileged shell when a client
>connects from port 421.

So all the poeple following the CERT Advisory will probably do the wrong
thing: Blocking TCP(SYN) packets with destination port 421 instead of
blocking TCP(SYN) packets with source port 421 :-(

Jochen Bauer

-----BEGIN PGP SIGNATURE-----
Version: 2.6.3i
Charset: noconv

iQEVAwUBNqh+UFthq5K12SiJAQFA0ggAsGtTsK17LSYlmn2swHGFWX7cGjPeSZln
D0pOqU3z17FxRP+LsEspxRtSm5bGjxSpsU76XxGcViLegW9C/I2YvqhHnYRCJuE6
sicBBBkNMqp1X7V9cmeZsqOjg/yG56Do8qx00KLLon5AqwS2Ku6IChvy151sY+c5
I5IvUtiVeskR4fsCa+eS5r3LOL94K8tk6kBj1gwFqYwcbuDx2Q424q8GcSz169Pc
vp9j0XenWKZ49Uu+uMAPCHkfvUZPwFfuudJK918o1jcC+3uAKEkpJPQ5Coj3J0rV
p647bqQXNPEm9XnK/oUYA1Y+D9wsMdR942C00zMDKANkk70AKDXklg==
=It6e
-----END PGP SIGNATURE-----

-------------------------------------------------
My PGP public key can be found on:
http://www.theo2.physik.uni-stuttgart.de/jtb.html
-------------------------------------------------

Jochen Bauer
Institute for Theoretical Physics
University of Stuttgart
Germany