Gentoo Forums
Gentoo Forums
Gentoo Forums
Quick Search: in
FYI: OpenSSH Trojan
View unanswered posts
View posts from last 24 hours

 
Reply to topic    Gentoo Forums Forum Index Off the Wall
View previous topic :: View next topic  
Author Message
mellofone
Apprentice
Apprentice


Joined: 13 Apr 2002
Posts: 286

PostPosted: Thu Aug 01, 2002 12:19 pm    Post subject: FYI: OpenSSH Trojan Reply with quote

http://docs.freebsd.org/cgi/getmsg.cgi?fetch=394609+0+current/freebsd-security

Says it all.
Back to top
View user's profile Send private message
dioxmat
Bodhisattva
Bodhisattva


Joined: 04 May 2002
Posts: 709
Location: /home/mat

PostPosted: Thu Aug 01, 2002 12:24 pm    Post subject: Reply with quote

doesnt apply to gentoo.
the openbsd ftp server (which is hosted by Sun, on solaris servers :) was cracked and some packages on it were modified, including openssh, but there might be others.
Since gentoo doesnt uses openbsd's ftp, no problem for us :)

remember, always check the md5sum of files you're downloading :)
_________________
mat
Back to top
View user's profile Send private message
mellofone
Apprentice
Apprentice


Joined: 13 Apr 2002
Posts: 286

PostPosted: Thu Aug 01, 2002 12:32 pm    Post subject: Reply with quote

dioxmat wrote:
doesnt apply to gentoo.
the openbsd ftp server (which is hosted by Sun, on solaris servers :) was cracked and some packages on it were modified, including openssh, but there might be others.
Since gentoo doesnt uses openbsd's ftp, no problem for us :)

remember, always check the md5sum of files you're downloading :)


I wasn't aware where gentoo originally got the file...
Back to top
View user's profile Send private message
dioxmat
Bodhisattva
Bodhisattva


Joined: 04 May 2002
Posts: 709
Location: /home/mat

PostPosted: Thu Aug 01, 2002 12:37 pm    Post subject: Reply with quote

try emerging it:
>>> emerge net-misc/openssh-3.4_p1-r3 to /
>>> Downloading http://www.ibiblio.org/gentoo/distfiles/openssh-3.4p1.tar.gz

;)
_________________
mat
Back to top
View user's profile Send private message
klieber
Administrator
Administrator


Joined: 17 Apr 2002
Posts: 3657
Location: San Francisco, CA

PostPosted: Thu Aug 01, 2002 12:57 pm    Post subject: Reply with quote

Well, the files on ibiblio have to come from somewhere, don't they? :) The gentoo developers must have downloaded the source from another server at some point, though I imagine if the source they were using had the trojan in it, we would have heard about it by now.

For anyone who's especially concerned about this, simply untar the ibiblio source and search for the trojan code. (mentioned in the link above) If you do this, please post the results here so others can sleep easier at night, too.

--kurt
_________________
The problem with political jokes is that they get elected
Back to top
View user's profile Send private message
mellofone
Apprentice
Apprentice


Joined: 13 Apr 2002
Posts: 286

PostPosted: Thu Aug 01, 2002 1:03 pm    Post subject: Reply with quote

klieber wrote:
Well, the files on ibiblio have to come from somewhere, don't they? :) The gentoo developers must have downloaded the source from another server at some point, though I imagine if the source they were using had the trojan in it, we would have heard about it by now.
--kurt


That's what I meant :)
Back to top
View user's profile Send private message
dioxmat
Bodhisattva
Bodhisattva


Joined: 04 May 2002
Posts: 709
Location: /home/mat

PostPosted: Thu Aug 01, 2002 1:17 pm    Post subject: Reply with quote

well, anyway, I doubt the packages come from ftp.openbsd.org :)
anyway, I downloaded the file from ibiblio.org.
it doesnt contains the troyan... (anyway, since the troyan lies in openbsd-compat/, gentoo isnt affected...)
_________________
mat
Back to top
View user's profile Send private message
klieber
Administrator
Administrator


Joined: 17 Apr 2002
Posts: 3657
Location: San Francisco, CA

PostPosted: Thu Aug 01, 2002 1:27 pm    Post subject: Reply with quote

dioxmat wrote:
well, anyway, I doubt the packages come from ftp.openbsd.org :)

Actually, I'd bet they *did* come from openbsd.org. The main download site for the linux version of OpenSSH is openbsd.org. The "open" in both names isn't coincidence -- both projects are related. (Theo de Raadt is the lead developer on both, I believe)
dioxmat wrote:
anyway, I downloaded the file from ibiblio.org.
it doesnt contains the troyan... (anyway, since the troyan lies in openbsd-compat/, gentoo isnt affected...)

Good to know. Thanks for checking.

--kurt
_________________
The problem with political jokes is that they get elected
Back to top
View user's profile Send private message
klieber
Administrator
Administrator


Joined: 17 Apr 2002
Posts: 3657
Location: San Francisco, CA

PostPosted: Thu Aug 01, 2002 1:46 pm    Post subject: Reply with quote

Since this is primarily a BSD issue, I'm moving this thread to In Other News.

--kurt
_________________
The problem with political jokes is that they get elected
Back to top
View user's profile Send private message
chrb
n00b
n00b


Joined: 23 Jun 2002
Posts: 19

PostPosted: Thu Aug 01, 2002 1:57 pm    Post subject: Reply with quote

its a shame that emerge requires you to be root to do the compile. It only really needs to be root to merge stuff into the local filesystem, and it would avoid giving a root shell to a trojaned package like this. The actual merge would still be done as root but it should avoid overwriting files from other packages by default. This would avoid any build trojans getting root, unless you run the built binary as root later which is unlikely for 99% of packages. The worst you get from trojaned source is an unpriviledged shell.
Back to top
View user's profile Send private message
klieber
Administrator
Administrator


Joined: 17 Apr 2002
Posts: 3657
Location: San Francisco, CA

PostPosted: Thu Aug 01, 2002 2:00 pm    Post subject: Reply with quote

sounds like a good topic for gentoo suggestions and/or feature request on bugs.gentoo.org. :)

--kurt
_________________
The problem with political jokes is that they get elected
Back to top
View user's profile Send private message
dioxmat
Bodhisattva
Bodhisattva


Joined: 04 May 2002
Posts: 709
Location: /home/mat

PostPosted: Thu Aug 01, 2002 2:20 pm    Post subject: Reply with quote

I agree about the root issue, someone post it somewhere and come back tell us please :)
about the openbsd.org being the server I though this was openssh.com and that the 2 were separated... maybe they arent, maybe they are. oh well :)
the thing is, we should check this package a bit more imho. there might be another troyan hidden somewhere...
_________________
mat
Back to top
View user's profile Send private message
abhishek
Retired Dev
Retired Dev


Joined: 28 Jun 2002
Posts: 393
Location: Los Angeles, CA

PostPosted: Thu Aug 01, 2002 3:30 pm    Post subject: Reply with quote

dioxmat wrote:
doesnt apply to gentoo.
the openbsd ftp server (which is hosted by Sun, on solaris servers :) was cracked and some packages on it were modified, including openssh, but there might be others.
Since gentoo doesnt uses openbsd's ftp, no problem for us :)

remember, always check the md5sum of files you're downloading :)

Actually if ur emerging it this shouldnt be a problem becaule portage automatically checks the md5sum.
Back to top
View user's profile Send private message
dioxmat
Bodhisattva
Bodhisattva


Joined: 04 May 2002
Posts: 709
Location: /home/mat

PostPosted: Thu Aug 01, 2002 3:45 pm    Post subject: Reply with quote

yes...
however, I wouldnt rely on md5sum checks for security problems, since it can be changed too (it wasnt changed for the openbsd package, because the guys who cracked the server are dumb, but thats another story :) ... and, anyway, we dont know if the md5sum come from the server or was calculated by the guys who put it on iblio when they put the package on it.
for security problems, we should check the gpg sig if included (cant be fooled since the gpg sig come from a developer most of the time :)
_________________
mat
Back to top
View user's profile Send private message
gotak
n00b
n00b


Joined: 08 Jul 2002
Posts: 17

PostPosted: Thu Aug 01, 2002 4:14 pm    Post subject: There's no point Reply with quote

What's the differences does it really make to have emerge run as non root until install anyhow?

In this cause alot but if the actual program's trojaned you'll still get rooted when the program's actually copied to it's final location.

The only situation that i can see would help with emerge not running as root is if emerge itself has a bug exploitable from outside. But again you have you run emerge so that's not an easy bug to get at.

Finially the change date on the trojaned tar ball is july 31st. So unless gentoo's copy came in yesterday or later we are fine. And i just checked we are fine. Or should be anyhow don't take my word for it.
Back to top
View user's profile Send private message
trythil
Tux's lil' helper
Tux's lil' helper


Joined: 06 Jun 2002
Posts: 123
Location: RHIT, Terre Haute, IN, USA

PostPosted: Fri Aug 02, 2002 4:04 am    Post subject: Reply with quote

It makes a big difference. In this case, the trojan was in the OpenSSH configure stage, which is run as root. If this trojan were to activate as an unprivileged user it would be active as just that.

Besides, one security maxim is that you should NEVER do ANYTHING that does NOT require special privileges as a privileged user. Compilation of binaries does not require special privileges; you can easily create a group "portage" (or something) and just cause portage to run as that until final install, when it can request setuid root and do the copying. (Even better would be a system that requested the user to enter the root password before it emerged anything, but that could get tedious.)
Back to top
View user's profile Send private message
dioxmat
Bodhisattva
Bodhisattva


Joined: 04 May 2002
Posts: 709
Location: /home/mat

PostPosted: Fri Aug 02, 2002 7:58 am    Post subject: Reply with quote

I agree with trythil.
besides, we could have a portage group that have write acess to /usr and such, so that even the install would not require you to be logged as root...
_________________
mat
Back to top
View user's profile Send private message
chrb
n00b
n00b


Joined: 23 Jun 2002
Posts: 19

PostPosted: Fri Aug 02, 2002 1:24 pm    Post subject: Reply with quote

ok, check http://bugs.gentoo.org/show_bug.cgi?id=5902. Comments and ideas are welcome..
Back to top
View user's profile Send private message
Display posts from previous:   
Reply to topic    Gentoo Forums Forum Index Off the Wall All times are GMT
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum