[ LUGOS ] trojanski konj v TCP Wrappers 7.6
Borut Mrak
borutm na bigfoot.com
Sob Jan 23 20:12:00 CET 1999
On Fri, 22 Jan 1999, Andrej Komelj wrote:
> Ce je kdo v zadnjem casu k sebi prenasal paket tcp_wappers-7.6.tar.gz,
> naj si ogleda tole stran:
>
> http://www.cert.org/advisories/CA-99-01-Trojan-TCP-Wrappers.html
In tole je na bugtraq-u:
aja, se opravicujem ce tole bolj spada v lugos-sec. Crosspostat pa nocem.
>From jtb na THEO2.PHYSIK.UNI-STUTTGART.DE Sat Jan 23 20:09:21 1999
Date: Fri, 22 Jan 1999 14:42:18 +0100
From: Jochen Thomas Bauer <jtb na THEO2.PHYSIK.UNI-STUTTGART.DE>
To: BUGTRAQ na netspace.org
Subject: Misleading CERT Advisory CA-99-01-Trojan-TCP-Wrappers
-----BEGIN PGP SIGNED MESSAGE-----
Hello,
The latest CERT Advisory about TCPwrappers containing a trojan horse
(CA-99-01-Trojan-TCP-Wrappers) seems to be partially incorrect.
CERT Advisory CA-99-01-Trojan-TCP-Wrappers:
I. Description
TCP Wrappers is a tool commonly used on Unix systems to monitor and
filter connections to network services.
[...]
The Trojan horse version of TCP Wrappers provides root access to
intruders on port 421. Additionally, upon compilation, this Trojan
horse version sends email to an external address.
[...]
III. Solution
[...]
As with any port, if you are not using port 421, we encourage you to
filter it at your network perimeter.
[...]
This suggests that an intruder has to connect to port 421/tcp to get a
root shell and therefore access to port 421/tcp should be blocked.
I guess that you have read Wietse Venema's mail that clearly states that
a root shell is obtained by connecting to a service that is started by
the TCPwrapper from(!) port 421.
>The backdoor gives access to a privileged shell when a client
>connects from port 421.
So all the poeple following the CERT Advisory will probably do the wrong
thing: Blocking TCP(SYN) packets with destination port 421 instead of
blocking TCP(SYN) packets with source port 421 :-(
Jochen Bauer
-----BEGIN PGP SIGNATURE-----
Version: 2.6.3i
Charset: noconv
iQEVAwUBNqh+UFthq5K12SiJAQFA0ggAsGtTsK17LSYlmn2swHGFWX7cGjPeSZln
D0pOqU3z17FxRP+LsEspxRtSm5bGjxSpsU76XxGcViLegW9C/I2YvqhHnYRCJuE6
sicBBBkNMqp1X7V9cmeZsqOjg/yG56Do8qx00KLLon5AqwS2Ku6IChvy151sY+c5
I5IvUtiVeskR4fsCa+eS5r3LOL94K8tk6kBj1gwFqYwcbuDx2Q424q8GcSz169Pc
vp9j0XenWKZ49Uu+uMAPCHkfvUZPwFfuudJK918o1jcC+3uAKEkpJPQ5Coj3J0rV
p647bqQXNPEm9XnK/oUYA1Y+D9wsMdR942C00zMDKANkk70AKDXklg==
=It6e
-----END PGP SIGNATURE-----
-------------------------------------------------
My PGP public key can be found on:
http://www.theo2.physik.uni-stuttgart.de/jtb.html
-------------------------------------------------
Jochen Bauer
Institute for Theoretical Physics
University of Stuttgart
Germany
--
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
|Borut Mrak a.k.a. PyO-GEniC, a wannabe bofh, |
| borutm na bigfoot.com, borutmrak na hotmail.com |
| phone: +386 65 51248 and 61 267876 |
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
Don't worry, I'm fluent in weirdo.
Dodatne informacije o seznamu Starilist