FYI: OpenSSH Trojan

mellofone · Apprentice Joined: 13 Apr 2002 Posts: 286

http://docs.freebsd.org/cgi/getmsg.cgi?fetch=394609+0+current/freebsd-security

Says it all.

dioxmat · Posted: Thu Aug 01, 2002 12:24 pm Post subject:

doesnt apply to gentoo.
the openbsd ftp server (which is hosted by Sun, on solaris servers :) was cracked and some packages on it were modified, including openssh, but there might be others.
Since gentoo doesnt uses openbsd's ftp, no problem for us :)

remember, always check the md5sum of files you're downloading :)
_________________
mat

mellofone · Apprentice Joined: 13 Apr 2002 Posts: 286

dioxmat · Posted: Thu Aug 01, 2002 12:37 pm Post subject:

try emerging it:
>>> emerge net-misc/openssh-3.4_p1-r3 to /
>>> Downloading http://www.ibiblio.org/gentoo/distfiles/openssh-3.4p1.tar.gz

;)
_________________
mat

klieber · Posted: Thu Aug 01, 2002 12:57 pm Post subject:

Well, the files on ibiblio have to come from somewhere, don't they?

The gentoo developers must have downloaded the source from another server at some point, though I imagine if the source they were using had the trojan in it, we would have heard about it by now.

For anyone who's especially concerned about this, simply untar the ibiblio source and search for the trojan code. (mentioned in the link above) If you do this, please post the results here so others can sleep easier at night, too.

--kurt
_________________
The problem with political jokes is that they get elected

mellofone · Apprentice Joined: 13 Apr 2002 Posts: 286

dioxmat · Posted: Thu Aug 01, 2002 1:17 pm Post subject:

well, anyway, I doubt the packages come from ftp.openbsd.org :)
anyway, I downloaded the file from ibiblio.org.
it doesnt contains the troyan... (anyway, since the troyan lies in openbsd-compat/, gentoo isnt affected...)
_________________
mat

klieber · Posted: Thu Aug 01, 2002 1:27 pm Post subject:

klieber · Posted: Thu Aug 01, 2002 1:46 pm Post subject:

Since this is primarily a BSD issue, I'm moving this thread to In Other News.

--kurt
_________________
The problem with political jokes is that they get elected

chrb · n00b Joined: 23 Jun 2002 Posts: 19

its a shame that emerge requires you to be root to do the compile. It only really needs to be root to merge stuff into the local filesystem, and it would avoid giving a root shell to a trojaned package like this. The actual merge would still be done as root but it should avoid overwriting files from other packages by default. This would avoid any build trojans getting root, unless you run the built binary as root later which is unlikely for 99% of packages. The worst you get from trojaned source is an unpriviledged shell.

klieber · Posted: Thu Aug 01, 2002 2:00 pm Post subject:

sounds like a good topic for gentoo suggestions and/or feature request on bugs.gentoo.org.

--kurt
_________________
The problem with political jokes is that they get elected

dioxmat · Posted: Thu Aug 01, 2002 2:20 pm Post subject:

I agree about the root issue, someone post it somewhere and come back tell us please :)
about the openbsd.org being the server I though this was openssh.com and that the 2 were separated... maybe they arent, maybe they are. oh well :)
the thing is, we should check this package a bit more imho. there might be another troyan hidden somewhere...
_________________
mat

abhishek · Posted: Thu Aug 01, 2002 3:30 pm Post subject:

dioxmat · Posted: Thu Aug 01, 2002 3:45 pm Post subject:

yes...
however, I wouldnt rely on md5sum checks for security problems, since it can be changed too (it wasnt changed for the openbsd package, because the guys who cracked the server are dumb, but thats another story :) ... and, anyway, we dont know if the md5sum come from the server or was calculated by the guys who put it on iblio when they put the package on it.
for security problems, we should check the gpg sig if included (cant be fooled since the gpg sig come from a developer most of the time :)
_________________
mat

gotak · n00b Joined: 08 Jul 2002 Posts: 17

What's the differences does it really make to have emerge run as non root until install anyhow?

In this cause alot but if the actual program's trojaned you'll still get rooted when the program's actually copied to it's final location.

The only situation that i can see would help with emerge not running as root is if emerge itself has a bug exploitable from outside. But again you have you run emerge so that's not an easy bug to get at.

Finially the change date on the trojaned tar ball is july 31st. So unless gentoo's copy came in yesterday or later we are fine. And i just checked we are fine. Or should be anyhow don't take my word for it.

trythil · Posted: Fri Aug 02, 2002 4:04 am Post subject:

It makes a big difference. In this case, the trojan was in the OpenSSH configure stage, which is run as root. If this trojan were to activate as an unprivileged user it would be active as just that.

Besides, one security maxim is that you should NEVER do ANYTHING that does NOT require special privileges as a privileged user. Compilation of binaries does not require special privileges; you can easily create a group "portage" (or something) and just cause portage to run as that until final install, when it can request setuid root and do the copying. (Even better would be a system that requested the user to enter the root password before it emerged anything, but that could get tedious.)

dioxmat · Posted: Fri Aug 02, 2002 7:58 am Post subject:

I agree with trythil.
besides, we could have a portage group that have write acess to /usr and such, so that even the install would not require you to be logged as root...
_________________
mat

chrb · n00b Joined: 23 Jun 2002 Posts: 19

ok, check https://bugs.gentoo.org/show_bug.cgi?id=5902. Comments and ideas are welcome..