[Techtalk] Fwd: OpenSSH trojan?

hobbit at aloss.ukuu.org.uk hobbit at aloss.ukuu.org.uk
Sat Aug 3 15:24:57 EST 2002 

I'm not sure whether I should actually redirect this to newchix.
I think most people here will know all of this. But some might
not.

On Sat, Aug 03, 2002 at 09:29:40AM +0100 or thereabouts, James wrote:
> On Fri, 2 Aug 2002, Conor Daly wrote:
> 
> > Saw this on the ssh mailing list.  Something to watch out for?
> 
> It's something to be aware of, especially in other packages. Fortunately, 
> all this specific Trojan did is give a root shell to a specific machine 
> the perpetrator was using: that machine has now been reinstalled 
> (securely!), so nobody can actually USE this Trojan maliciously now.
> 
> Apparently this has happened twice before, in similar circumstances (but 
> to different servers) - although anyone installing from the FreeBSD 
> "ports" tree is safe (it checks MD5 fingerprints against FreeBSD's own 
> database, which wasn't compromised) - likewise Gentoo's "portage", 
> apparently.
> 
> So, in short: it's not a significant security issue in itself (the only 
> way of exploiting it has now been closed), but it does show that we should 
> all be careful where we get our programs from...

None of the below will help you if the original package is
trojaned on the master site, but for those people who are
experiencing some "how do I check these things?" moments,
here's some bits and pieces. Perhaps someone could expand
on them. I am woefully clueless on a lot of it. I just
picked it up in bits and pieces. It's hopelessly Linux-
specific and particularly rpm-specific, but it might help.

People who use vendor-provided rpms from mirrors (and we
all do use mirrors to save pressure on the main sites,
don't we? No..? :)) should be aware that after downloading 
it and before installing it, you can (and should) check an 
rpm with

	rpm -K packagename.rpm
	rpm --checksig packagename.rpm

and you can get extra information with rpm -Kv or rpm -Kvv,
including what it thinks the md5sum and gpg signature (if
present) are. I only found -Kv and -Kvv the other day and
I still think they're dead cool. 

In particular, most vendors GPG-sign their rpms. GnuPG is
often described as a way to encrypt things, but it also provides
a way to sign things. Even if you have no need to encrypt
things -- or think you have no need to -- the signing is
very very worth knowing about.

By checking the signature against the separately-distributed
GPG key, you can check it really came from your vendor's
main ftp site and that the mirror itself hasn't been compromised.
(So if the main site is caught, we're all in trouble :)) 

On a RH-specific note, the rawhide packages are not official
updates and are not signed. 

You can get the vendor key from the CDs you bought (if you
did), or from the website (well, I found RH's on the web, 
although it's http:// so perhaps I am not really seeing the 
real RH site :)) I never thought to look on the keyservers
for vendor keys, but that's another place you can look.

You can also check the signature of the kernels you collect
from mirrors of xx.kernel.org. For example, looking at 
ftp://ftp.uk.kernel.org:/pub/linux/kernel/v2.4/ I see
-rw-r--r--   1 mirrors  mirrors    722077 Aug 16  2001 patch-2.4.9.gz
-rw-r--r--   1 mirrors  mirrors       248 Aug 16  2001 patch-2.4.9.gz.sign

The associated website says
   To  guard  against  Trojan  mirror sites, all files originating at the
   Linux  Kernel  Archives  are  [50]cryptographically signed. If you are
   getting  a  message  that the verification key has expired, please see
   [51]this link.

Link [50] there is to http://www.kernel.org/signature.html :
   Files   placed   in   the  Linux  Kernel  Archives  are  automatically
   OpenPGP-signed  by  the  archive.  This signature can be used to prove   
   that  a file, which may have been obtained from a mirror site or other
   location, really originated at the Linux Kernel Archives.

   The  current  Linux Kernel Archives OpenPGP key is always posted here,
   including  any  revocation  certificates  which  may be outstanding on
   older keys.

   This  signature  does  not  guarantee  that  the Linux Kernel Archives
   master  site itself has not been compromised. However, if we suffer an
   intrusion  we will revoke the key and post information here as quickly
   as possible.

It goes on to walk you through how you check file-x.y.gz with
file-x.y.gz.sign. 

I don't know the Debian set-up. I believe packages are checked
as they arrive on the site and you trust it because of that? 

As a side-note, the only time I've ever had rpm -K say "Eek! This
file might not be what you think!" was -- of all things -- on
tripwire, the security program :) 

My heart absolutely leapt into my mouth. All I could think was
"Well, I suppose something that holds the database you check
against to watch for crackers is a good one to attack". 

It (of course) turned out to be a corrupted download. I had
hoped that 'reget' would get it, but it hadn't. When I recollected
it from a less dodgy connection, I got a happier package. 

If someone can fill in other useful stuff, or correct any errors
I fear I've made, that would be very cool.

I suppose I should sign this to prove it came from me, but if
it's all wrong then I shall want to deny I ever said it. So 
perhaps I shouldn't sign it after all :) 

Telsa

More information about the Techtalk mailing list