# BSD users read



## Doonz (Jun 13, 2002)

INFORMATION ALERT


AN EMERGING ISSUE WITH: 
OpenSSH -- RECENT BUILD CONTAINS A TROJAN


SEVERITY:
Medium

DATE:
August 1, 2002


---------------------------------------------------------------
NOTE: This e-mail was sent from an unattended mailbox, so please do not reply to it. Our contact information appears at 
the end of this e-mail.

Some URLs in the article below may wrap to a second line. When that occurs, clicking on them does not work. To follow a multi-line link, please copy and paste its parts into your browser's address window to reassemble it into a working URL. For an easier-to-read HTML version of this article with live links, go to: https://www3.watchguard.com/archive/showhtml.asp?pack=135156

---------------------------------------------------------------


SUMMARY: 

In posts made public today on the FreeBSD security mailing list and on Bugtraq, Edwin Groothuis claims that one of the latest OpenSSH tarballs on the OpenBSD.org FTP site contains Trojan horse code. If you install the altered version of OpenSSH, a hacker could gain complete control of your system. There is no direct impact on WatchGuard products. Administrators who have recently installed OpenSSH should reboot their machines and re-install the clean version.


EXPOSURE: 

OpenSSH is a very popular, open-source implementation of Secure Shell (SSH) <http://www.webopedia.com/TERM/s/SSH.html>.

In a post to the Free-BSD security mailing list 
<http://docs.freebsd.org/cgi/getmsg.cgi?fetch=394609+0+current/freebsd-
security>,
Edwin Groothuis announced that he has found a backdoor in the latest version of OpenSSH on the OpenBSD.org FTP site. Edwin suspects that the altered version of OpenSSH is spreading to all the OpenBSD mirror sites. This specific tarball 
<http://foldoc.doc.ic.ac.uk/foldoc/foldoc.cgi?query=tarball> 
contains the Trojan:

<ftp://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-3.4p1.tar.gz>

The Trojan appears to execute once during the OpenSSH build process. When executed, it attempts to connect to 203.62.158.32 on port 6667. This IP address seems to belong to a machine compromised by the same hacker who uploaded the malicious OpenSSH tarball. The Trojan does not seem to affect the actual OpenSSH application files created during the build process.

If the Trojan is able to contact the IP address above, it seems to give the attacker three choices of action: respawn the Trojan, kill it, or open a remote root shell on the victim's machine. If the attacker opens a root shell he has total control of your machine. However, according to a post on Bugtraq, found at 
<http://online.securityfocus.com/archive/75/285547/2002-07-29/2002-08-04/0>
, 
the owners of the compromised machine (203.62.158.32) discovered they were hacked and have secured the machine, so the hacker cannot leverage this Trojan any longer.

As we wrote this, OpenSSH released its own security advisory 
<http://online.securityfocus.com/archive/1/285554/2002-07-29/2002-08-04/0>
confirming the existence of the Trojan. The advisory adds that OpenSSH versions 3.2.2p1 and 3.4 also include this Trojan. They have replaced the malicious tarballs as of 7:00 am MDT, August 1.


SOLUTION PATH:

If you have recently installed OpenSSH, it may already be too late. We recommend you reboot your machine. According to Groothuis and other publicly-posting analysts, the Trojan runs only once, during the OpenSSH build process. Rebooting your machine should remove the malicious service from the machine's memory. We also recommend you uninstall the backdoored OpenSSH and re-install the newly released version. Although the binaries built by the "trojaned" OpenSSH are supposedly clean, it is always better to be safe than sorry.

Finally, this is a good example of why it is important to use signature files when downloading software. Signature files provide a means of verifying the authenticity of the file you are downloading. For more information on validating downloads with an MD5 checksum signature, see this CERT page <http://www.cert.org/security- improvement/implementations/i002.01.html>.

-- For WatchGuard Firebox and SOHO Users:

Since the Watchguard SOHO and Firebox allow all outgoing connections by default, the solutions above are your primary recourse.

-- For ServerLock and AppLock/Web Users:

These vulnerabilities primarily affect Linux systems. However, it is possible to compile OpenSSH on a Solaris system as well. ServerLock for Solaris was specifically designed to protect against the damage caused by unauthorized users who might gain root privileges via a vulnerability of this nature. While ServerLock does not prevent this Trojan, it does protect core Solaris system files from corruption or modification, regardless of user privileges.


STATUS:

OpenBSD has replaced the infected tarballs. 


DIRECT IMPACT ON WATCHGUARD PRODUCTS:

None.


IMPACT ON NETWORKS PROTECTED BY WATCHGUARD PRODUCTS:

If you have recently downloaded portable OpenSSH v3.4 from the OpenBSD FTP site, you are susceptible to an attacker gaining total control of your machine.


REFERENCES:

Original Post to FreeBSD Security Mailing List 
<http://docs.freebsd.org/cgi/getmsg.cgi?fetch=394609+0+current/freebsd-
security>



This alert researched and written by Corey Nachreiner.


----------

