wuarchive ftpd Trojan
Christopher Klaus
Well, finally has happened again. a major program has been trojaned.
CERT advisory as always lacks any concrete information about it
other than to say, you need to get the newest version.
It might be more useful to say what the trojan was. or how
it was implemented because How do I know some intruder stick
his trojan into the newest version of wu-ftp and sendmail as well?
Id like to point out that 8lgm (Karl Strickland and Neil Woods)
were contributors to the fact that CERT released this advisory.
From cert-advis...@cert.org Wed Apr 6 13:37:03 1994
Received: from cert.org (cert.org [192.88.209.5]) by shadow.net (8.6.8.1/jc-1.0) with SMTP id NAA26148 for <ckl...@shadow.net>; Wed, 6 Apr 1994 13:37:02 -0400
Received: from clorets.cert.org by cert.org (4.1/cert-5.2)
id AA00802; Wed, 6 Apr 94 13:21:26 EDT
Received: by clorets.cert.org (5.65/2.5)
id AA02450; Wed, 6 Apr 94 12:54:39 -0400
Message-Id: <940406165...@clorets.cert.org>
From: CERT Advisory <cert-advis...@cert.org>
Date: Wed, 6 Apr 94 12:51:16 EDT
To: cert-a...@cert.org
Subject: CERT Advisory - wuarchive ftpd Trojan Horse
Organization: Computer Emergency Response Team : 412-268-7090
Status: OR
=============================================================================
CA-94:07 CERT Advisory
April 6, 1994
wuarchive ftpd Trojan Horse
-----------------------------------------------------------------------------
The CERT Coordination Center has received confirmation that some copies
of the source code for the wuarchive FTP daemon (ftpd) were modified by
an intruder, and contain a Trojan horse.
We strongly recommend that any site running the wuarchive ftpd take steps
to immediately install version 2.3, or disable their FTP daemon.
-----------------------------------------------------------------------------
I. Description
Some copies of the source code for versions 2.2 and 2.1f of the
wuarchive ftpd were modified by an intruder, and contain a Trojan
horse. If your FTP daemon was compiled from the intruder-modified
source code, you are vulnerable.
It is possible that previous versions of the source code for the server
were modified in a similar manner.
If you are running the wuarchive ftpd, but not providing anonymous FTP
access, you are still vulnerable to this Trojan horse.
II. Impact
An intruder can gain root access on a host running an FTP daemon
that contains this Trojan horse.
III. Solution
We strongly recommend that any site running the wuarchive ftpd (version
2.2 or earlier) take steps to immediately install version 2.3.
If you cannot install the new version in a timely manner, you should
disable FTP service. It is not sufficient to disable anonymous FTP.
You must disable the FTP daemon.
Sites can obtain version 2.3 via anonymous FTP from ftp.uu.net, in the
"/networking/ftp/wuarchive-ftpd" directory. We recommend that you turn
off your FTP server until you have installed the new version.
Be certain to verify the checksum information to confirm that you have
retrieved a valid copy.
BSD SVR4
File Checksum Checksum MD5 Digital Signature
----------------- -------- --------- --------------------------------
wu-ftpd-2.3.tar.Z 24416 181 30488 361 e58adc5ce0b6eae34f3f2389e9dc9197
---------------------------------------------------------------------------
The CERT Coordination Center wishes to thank Bryan O'Connor and Chris Myers
of Washington University in St. Louis for their invaluable assistance in
resolving this problem. CERT also gratefully acknowledges the help of
Neil Woods and Karl Strickland.
---------------------------------------------------------------------------
If you believe that your system has been compromised, contact the CERT
Coordination Center or your representative in the Forum of Incident
Response and Security Teams (FIRST).
If you wish to send sensitive incident or vulnerability information to
CERT via electronic mail, CERT strongly advises that the e-mail be encrypted.
CERT can support a shared DES key, PGP (public key available via
anonymous FTP on info.cert.org), or PEM (contact CERT for details).
Internet E-mail: ce...@cert.org
Telephone: 412-268-7090 (24-hour hotline)
CERT personnel answer 8:30 a.m.-5:00 p.m. EST(GMT-5)/EDT(GMT-4),
and are on call for emergencies during other hours.
CERT Coordination Center
Software Engineering Institute
Carnegie Mellon University
Pittsburgh, PA 15213-3890
Past advisories, information about FIRST representatives, and other
information related to computer security are available via anonymous
FTP from info.cert.org.
--
Christopher William Klaus Email: ckl...@shadow.net Author:Inet Sec. Scanner
2209 Summit Place Drive,Dunwoody, GA 30350-2430. (404)998-5871.
Dave Sill
>
>CERT advisory as always lacks any concrete information about it
>other than to say, you need to get the newest version.
>
>
>It might be more useful to say what the trojan was. or how
>it was implemented because How do I know some intruder stick
>his trojan into the newest version of wu-ftp and sendmail as well?
The trojan allowed one to bypass the password check. A more interesting
question is: how was the trojan planted? All we know so far is that it
wasn't planted using wu-ftpd.
>II. Impact
>
> An intruder can gain root access on a host running an FTP daemon
> that contains this Trojan horse.
Not if root is in /etc/ftpusers.
--
Dave Sill (d...@ornl.gov) I dream of a televisionland where it will be
Martin Marietta Energy Systems as hard for a network to expose us to violence
Workstation Support as it is for me to tell someone they have
spinach on their teeth. --Paula Poundstone
URL http://www.dec.com/pub/DEC/DECinfo/html/dsill.html
PE. Smee
Christopher Klaus <ckl...@anshar.shadow.net> wrote:
>CERT advisory as always lacks any concrete information about it
>other than to say, you need to get the newest version.
>
>It might be more useful to say what the trojan was. or how
>it was implemented because How do I know some intruder stick
>his trojan into the newest version of wu-ftp and sendmail as well?
I have that sort of feeling, too. Even more paranoically, how do I
know that the current CERT advisory is genuine? Maybe wu-ftp 2.1 is
perfectly safe, wu-ftp 2.3 is the one with the trojan in it, and the
advisory is a clever hack to get everyone to install the trojan on
their system? A bit of 'here's what to look for' info and explanation
would make ME feel a lot more comfortable.
--
Paul Smee, Computing Service, University of Bristol, Bristol BS8 1UD, UK
P.S...@bristol.ac.uk - Tel +44 272 303132 - FAX +44 272 291576
Dave Sill
>
>I have that sort of feeling, too. Even more paranoically, how do I
>know that the current CERT advisory is genuine?
Call them and ask.
>Maybe wu-ftp 2.1 is
>perfectly safe, wu-ftp 2.3 is the one with the trojan in it, and the
>advisory is a clever hack to get everyone to install the trojan on
>their system?
Scrutinize the source diffs if you're that paranoid.
>A bit of 'here's what to look for' info and explanation
>would make ME feel a lot more comfortable.
That's already been posted, and all I can say is I'm glad my ftpd's are clean.
Arnd Vehling
ckl...@anshar.shadow.net (Christopher Klaus) writes:
>Well, finally has happened again. a major program has been trojaned.
[..]
>From: CERT Advisory <cert-advis...@cert.org>
>Subject: CERT Advisory - wuarchive ftpd Trojan Horse
[..]
>The CERT Coordination Center has received confirmation that some copies
>of the source code for the wuarchive FTP daemon (ftpd) were modified by
>an intruder, and contain a Trojan horse.
I know that my request will make some people suspicious about my intentions
but anyway... i would like to obtain a copy of the source for private study.
Any pointers to how i can obtain a copy of the relevant source-code would
be greatly appreciated.
thanx
A. Vehling p...@wg.saar.de
Tel.: +49 681 61300
Fax.: 638641
PE. Smee
Dave Sill <d...@de5.CTD.ORNL.GOV> wrote:
>In article <Cnvu3...@info.bris.ac.uk>, cc...@sun.cse.bris.ac.uk (PE. Smee) writes:
>>would make ME feel a lot more comfortable.
>
That showed up here a couple of hours after I posted mine.
(TransAtlantic link is a bit slow right now, owing to cable problems.)
Assuming it was correct (and I can see how it could have been) then we
too are OK. Just as well, we've got other problems at the moment, and
more aren't required. :-)
Christopher Samuel
In article <Cnvu3...@info.bris.ac.uk> of comp.security.unix,
P.S...@bristol.ac.uk (Paul Smee) doodled:
> I have that sort of feeling, too. Even more paranoically, how do I
> know that the current CERT advisory is genuine? Maybe wu-ftp 2.1 is
> perfectly safe, wu-ftp 2.3 is the one with the trojan in it, and the
> advisory is a clever hack to get everyone to install the trojan on
> their system? A bit of 'here's what to look for' info and explanation
> would make ME feel a lot more comfortable.
Here's what came through on TDRs PROBLEMS mailing list today:
Date: Thu, 07 Apr 1994 23:20:35 -0500 (EST)
Message-ID: <94-0020....@TDR.COM>
Organization: Tansin A. Darcos & Company, Silver Spring, MD USA
From: Problem Reporting Service <PROB...@TDR.COM>
Subject: 0020 - Unauthorized Root Access from FTP daemon
To: Recipients of list Problems <PROB...@TDR.COM>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Organization: Tansin A. Darcos & Company, Silver Spring, MD USA
- -----
System: Any system providing FTP service
Summary: Bugs in the FTP daemon (FTPD) can give someone root
priveleges.
Reported-By: Various sources including bugtraq and CIAC
Interest-To: Persons running ANY FTPD daemon
Capsule: CIAC reported that the sources to the FTPD daemon from
wuarchive contain a trapdoor in versions 2.1f and 2.2.
While the error is reported in the FTPD sources from
wuarchive.wustl.edu ("Wuarchive") versions 2.1f and 2.2
they can equally apply to ANY FTPD daemon.
Explanation of what is happening: The CIAC reports don't say why (as
usual) but apparently what happened
is that the FTPD daemon would allow
a null password as valid. So all
someone has to do is use the username
of 'root' with a null password, and
guess what account the user will have
read and write access to. Can you
say 'all files on the system' boys
and girls? I knew you could!
Repair or Correction: Check the source you have, the password checking
should compare it against the constant 'NULL'
(that's NULL in all caps.) If you have the
wuarchive FTPD, be sure it's version 2.3.
Also, I would suggest, if you have the source to
an FTPD, to modify it to check for 'root' as the
username, and unless you think it's necessary for
root to log on to FTP at your site, to cause use
of 'root' as the account to create a simulated
login, perhaps logging the offender's connection,
pretending to accept a password, then severing
the connection, e.g. any use of 'root' will cause
the connection to fail.
- ------
Feel free to circulate this or other PROBLEMS messages.
To Reply to this message, write to <PROB...@TDR.COM>; to subscribe use
newsgroup <tdr.problems> or write <PROBLEMS...@TDR.COM>.
In article <Cnvu3...@info.bris.ac.uk> of comp.security.unix,
P.S...@bristol.ac.uk (Paul Smee) doodled:
> I have that sort of feeling, too. Even more paranoically, how do I
> know that the current CERT advisory is genuine? Maybe wu-ftp 2.1 is
> perfectly safe, wu-ftp 2.3 is the one with the trojan in it, and the
> advisory is a clever hack to get everyone to install the trojan on
> their system? A bit of 'here's what to look for' info and explanation
> would make ME feel a lot more comfortable.
Here's what came through on TDRs PROBLEMS mailing list today:
Date: Thu, 07 Apr 1994 23:20:35 -0500 (EST)
Message-ID: <94-0020....@TDR.COM>
Organization: Tansin A. Darcos & Company, Silver Spring, MD USA
From: Problem Reporting Service <PROB...@TDR.COM>
Subject: 0020 - Unauthorized Root Access from FTP daemon
To: Recipients of list Problems <PROB...@TDR.COM>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Organization: Tansin A. Darcos & Company, Silver Spring, MD USA
- -----
System: Any system providing FTP service
Summary: Bugs in the FTP daemon (FTPD) can give someone root
priveleges.
Reported-By: Various sources including bugtraq and CIAC
Interest-To: Persons running ANY FTPD daemon
Capsule: CIAC reported that the sources to the FTPD daemon from
wuarchive contain a trapdoor in versions 2.1f and 2.2.
While the error is reported in the FTPD sources from
wuarchive.wustl.edu ("Wuarchive") versions 2.1f and 2.2
they can equally apply to ANY FTPD daemon.
Explanation of what is happening: The CIAC reports don't say why (as
usual) but apparently what happened
is that the FTPD daemon would allow
a null password as valid. So all
someone has to do is use the username
of 'root' with a null password, and
guess what account the user will have
read and write access to. Can you
say 'all files on the system' boys
and girls? I knew you could!
Repair or Correction: Check the source you have, the password checking
should compare it against the constant 'NULL'
(that's NULL in all caps.) If you have the
wuarchive FTPD, be sure it's version 2.3.
Also, I would suggest, if you have the source to
an FTPD, to modify it to check for 'root' as the
username, and unless you think it's necessary for
root to log on to FTP at your site, to cause use
of 'root' as the account to create a simulated
login, perhaps logging the offender's connection,
pretending to accept a password, then severing
the connection, e.g. any use of 'root' will cause
the connection to fail.
- ------
Feel free to circulate this or other PROBLEMS messages.
To Reply to this message, write to <PROB...@TDR.COM>; to subscribe use
newsgroup <tdr.problems> or write <PROBLEMS...@TDR.COM>.
-----BEGIN PGP SIGNATURE-----
Version: 2.3a
iQCVAgUBLaVMa1J7nmUlvnM9AQH2rQP+IxX5/r2/50fgO1PI3WFXrGUe9SowGpJy
ejrljZCFJi00PLmGfyMt3czZtpWvxOM6vEK/S+QZnQIJyWcIiHjgAx/da7oRZeuL
IHjh33alPQTHiEirw/YcAWGNpeQvY7APx3CDAUDG0cHpDW3WBCqx4U/fogCJdbMs
/1eKBocwPvA=
=FkxZ
-----END PGP SIGNATURE-----
--
Christopher Samuel Phone: +44 684 895311 ch...@rivers.dra.hmg.gb
N-115, Defence Research Agency, St Andrews Road, Great Malvern, England, UK
PGP Key fingerprint = EC 51 54 8C 12 72 AB 40 A3 E7 6E C8 03 AB 8E C7
GO(CS) d-- -p+ c++ l++ u+(-) e- m+ m--- s/+ !n h- f++ g+ w+ t+@ r+ y?
Dave Sill
>
>Here's what came through on TDRs PROBLEMS mailing list today:
>
>Date: Thu, 07 Apr 1994 23:20:35 -0500 (EST)
No, only those site running the trojaned versions of wu-ftpd.
>Summary: Bugs in the FTP daemon (FTPD) can give someone root
> priveleges.
Not bugs--deliberately planted malicious code. Only allows root access on
those sites poorly-enough managed to allow privileged FTP access.
> ... So all
> someone has to do is use the username
> of 'root' with a null password, and
> guess what account the user will have
> read and write access to.
No, not a null password, the password NULL.
> Can you
> say 'all files on the system' boys
> and girls? I knew you could!
Can you say /etc/ftpusers? If not, you shouldn't be a system administrator.
>Repair or Correction: Check the source you have, the password checking
> should compare it against the constant 'NULL'
> (that's NULL in all caps.) If you have the
> wuarchive FTPD, be sure it's version 2.3.
Which will, of course, match many occurences of the NULL macro. One needs to
search for "NULL", i.e.,
% grep \"NULL\" src/*.c
> Also, I would suggest, if you have the source to
> an FTPD, to modify it to check for 'root' as the
> username, and unless you think it's necessary for
> root to log on to FTP at your site, to cause use
> of 'root' as the account to create a simulated
> login, perhaps logging the offender's connection,
> pretending to accept a password, then severing
> the connection, e.g. any use of 'root' will cause
> the connection to fail.
Better yet, modify it to read a file containing a list of users to be denied
access. Call it, say, /etc/ftpusers. BTW, this is a standard ftpd feature,
and is ALREADY PROVIDED by wu-ftpd and every other UNIX ftpd I've ever seen.
Is this representative of the quality of information on the PROBLEMS mailing
list?
Del Armstrong
(Christopher Klaus) writes:
>Well, finally has happened again. a major program has been trojaned.
You say 'again'. When was the last time a major program had been
subverted this way?
Thanks.
Del Armstrong
----------------------------------------------------------------------
de...@ceas.rochester.edu rutgers!ur-valhalla!dela
Computing and Networking Group, College of Engineering
University of Rochester, Rochester, NY
DFRussell
>You say 'again'. When was the last time a major program had been
>subverted this way?
This question wasn't addressed to me, however. . .
If I recall correctly, the C compiler was hacked several years
ago (by someone who knew better) to modify itself and also drop
a trapdoor in the login command.
It was a very interesting/elegant hack. . .
The C compiler is written in C; therefore, it is used to compile
itself. Code was inserted into the C compiler to do the following:
1. drop a "trapdoor" in the login command (similiar to ftpd effect).
2. modify the object coming from the C compiler to install the same
changes into all C compilers compiled with it (i.e., it was
self-replicating).
The ftpd problem could be "fixed" by removing the offending line and
re-compiling. Imagine the problems associated with a hacked C compiler. . .
--
.----------------------------------------------------------------.
| DFRussell / dfru...@unixmail.rtpnc.epa.gov |
| Martin Marietta for U.S. EPA NDPD |
| P.O. Box 14365, MD-4501-1B |
| Research Triangle Park, NC 27709 |
| (919) 541-2901, fax (919) 541-1948 |
| |
| Tiger! Tiger! burning bright, in the forests of the night |
| What immortal hand or eye, could frame thy fearful symmetry. |
'----------------------------------------------------------------'
DISCLAIMER: views and opinions expressed herein are mine. Not
Martin Marietta's -- not the EPA's -- mine!
Erick Herring
>> You say 'again'. When was the last time a major program had
>> been subverted this way?
DFRussell> This question wasn't addressed to me, however. . .
DFRussell> [description of cc being subverted to breach login
DFRussell> security deleted...]
If I remember correctly, this hypothetical situation came from Ken
Thompson's Turing Award lecture "On trusting trust" -- though it could
have been someone else on some other occasion. I couldn't find my
reference. One of the points was that paranoia must have limits.
DFRussell> It was a very interesting/elegant hack. . .
To the best of my knowledge, this never happened.
DFRussell> [summary of how one might trojan a c compiler
DFRussell> deleted...]
DFRussell> The ftpd problem could be "fixed" by removing the
DFRussell> offending line and re-compiling. Imagine the problems
DFRussell> associated with a hacked C compiler. . .
Yes, it is frightening. Luckily we have gcc. :-)
Erick
Pierre Asselin
her...@iesd.auc.dk (Erick Herring) writes:
>If I remember correctly, this hypothetical situation came from Ken
>Thompson's Turing Award lecture "On trusting trust" -- though it could
>have been someone else on some other occasion. I couldn't find my
>reference. One of the points was that paranoia must have limits.
>To the best of my knowledge, this never happened.
According to the Jargon file (3.0.0, 27 JUL 1993) it did happen.
Look up `back door'.
The reference is given as
Ken Thompson,
"Reflections on Trusting Trust"
Communications of the ACM 27(8):761-63 (Aug. 1984)
--
--Pierre Asselin, Santa Barbara, California
p...@verano.sba.ca.us
Szymon Sokol
: DFRussell is: drus...@gisws6.rtpnc.epa.gov
: >> You say 'again'. When was the last time a major program had
: >> been subverted this way?
: DFRussell> This question wasn't addressed to me, however. . .
: DFRussell> [description of cc being subverted to breach login
: DFRussell> security deleted...]
: If I remember correctly, this hypothetical situation came from Ken
: Thompson's Turing Award lecture "On trusting trust" -- though it could
: have been someone else on some other occasion. I couldn't find my
: reference. One of the points was that paranoia must have limits.
: DFRussell> It was a very interesting/elegant hack. . .
: To the best of my knowledge, this never happened.
To the best of my knowledge ;-) Thompson actually *did* it in one early version
of Unix (before V7). I do not think anyone is still running that version, but
still, such a possibility is quite frightening.
--
Szymon Sokol -- Network Manager
U U M M M M University of Mining and Metallurgy, Computer Center
U U MM MM MM MM ave. Mickiewicza 30, 30-059 Krakow, POLAND
U U M M M M M M M M TEL. +48 12 338100 EXT. 2885 FAX +48 12 338907
UUUUU M M M M M M finger szy...@galaxy.uci.agh.edu.pl for PGP key
WWW page: http://www.uci.agh.edu.pl/~szymon
John F. Haugh II
>In <HERRING.94...@hardy.iesd.auc.dk>
>her...@iesd.auc.dk (Erick Herring) writes:
>>If I remember correctly, this hypothetical situation came from Ken
>>Thompson's Turing Award lecture "On trusting trust" -- though it could
>>have been someone else on some other occasion. I couldn't find my
>>reference. One of the points was that paranoia must have limits.
>
>>To the best of my knowledge, this never happened.
>
>According to the Jargon file (3.0.0, 27 JUL 1993) it did happen.
>Look up `back door'.
Just because Ken gave a lecture doesn't mean he actually created the
back door. Jules Verne wrote a book about flying to the moon. He
never flew to the moon either ...
--
John F. Haugh II [ NRA-ILA ] [ Kill Barney ] !'s: ...!cs.utexas.edu!rpp386!jfh
Ma Bell: (512) 251-2151 [GOP][DoF #17][PADI][ENTJ] @'s: j...@rpp386.cactus.org
There are three documents that run my life: The King James Bible, the United
States Constitution, and the UNIX System V Release 4 Programmer's Reference.
Ariel Faigon
: In article <Co2sv...@verano.sba.ca.us> p...@verano.sba.ca.us (Pierre Asselin) writes:
: >In <HERRING.94...@hardy.iesd.auc.dk>
: >her...@iesd.auc.dk (Erick Herring) writes:
: >>If I remember correctly, this hypothetical situation came from Ken
: >>Thompson's Turing Award lecture "On trusting trust" -- though it could
: >>have been someone else on some other occasion. I couldn't find my
: >>reference. One of the points was that paranoia must have limits.
: >
: >>To the best of my knowledge, this never happened.
: >
: >According to the Jargon file (3.0.0, 27 JUL 1993) it did happen.
: >Look up `back door'.
: Just because Ken gave a lecture doesn't mean he actually created the
: back door. Jules Verne wrote a book about flying to the moon. He
: never flew to the moon either ...
:
Hey, but read what Pierre said, he never said that it was used
by Ken Thompson himself. He just said that "it happened".
Heck, he even gave a reference that you can check too (I did).
The reference refers to RTM's worm and the sendmail 'debug' option
this is a classic case of a back door. You may argue that the
one who used it was not necessarily the one that created it,
but it was a (well known) back door anyway as the Jargon file says.
--
Peace, Ariel ari...@mirage.nsc.com