Slashdot Mirror

← Back to Stories (view on slashdot.org)

OpenSSH Package Trojaned

Posted by michael on from the md5-saves-lives dept.

cperciva writes "The original story is here. And more details are available from the guy's weblog here." Here's a mirror of that email message. Another reader writes, "Not really a trojan because all it does is make a connection to 203.62.158.32:6667." Still another writes "The tarball of the portable OpenSSH on ftp.openbsd.org is trojaned. The backdoor is only used during build - generated binaries are fine." There isn't much authoritative information available, but this appears legitimate - please be careful if you're updating any of your machines with code from ftp.openbsd.org, and we'll update this story with more links as information is available. Update: 08/01 19:13 GMT by M : OpenSSH now has an advisory.

14 of 566 comments (clear)

  1. Security, Antisecurity and a Purposeless Anecdote by f00Dave · · Score: 4, Interesting

    On the one hand, there's stories about the improved security and paranoia of OpenSSH.

    And on the other hand, there's stories like this one and that one about anti-security "features" in the same package.

    Now, my question is this: is this indicative of open-source development projects, in general? [Yeah, it's faster to fix issues, but if the distros are *causing* issues in the first place, well.... ;-) ]

    Reminds me of a company I worked for that was timebombed by a previous programmer. Unfortunately for him, when we looked at the source code, all was well (he'd copied the sources back over his modified ones used in the binary build) ... but he'd left the .bak files. Guess what was in the .bak files. Good, now guess how we discovered a few other potential surprises he'd left for the rest of us to encounter.

    Anyway, I can't see how a disgruntled coder could really affect an open-source project, unless there's personality factors at play that I don't know about. Anyone have some meat on this OpenSSL mess?

    --
    .f00Dave
  2. Checksum...? by DJPenguin · · Score: 5, Interesting

    OK so they trojaned the source tar.gz, and uploaded it to the server somehow. So why did they not update the MD5SUM also?

  3. Trojan by GigsVT · · Score: 5, Interesting

    The C code is not that smart. It tries once per hour to connect to port 6667 on the machine 203.62.158.32 which is web.snsonline.net and waits for commands from the person or persons who 0wn3d the machine. Does it get an M, it sleeps for another hour. Does it get an A, it will abort. Does it get an M, it will spawn a shell. Some people will build it "normal" privileges and install it as root: they will get a shell with "normal" privileges. Other people will build it with "root" privileges and the shell will have "root" privileges.

    Tell me how this isn't a trojan again? A remotely controllable program that could possibly give the attacker root access?

    --
    I've had enough abrasive sigs. Kittens are cute and fuzzy.
  4. Re:I'm suprised... by Queuetue · · Score: 4, Interesting

    This shows why I trust OS peer-reviewed code... It only takes one curious person to find an exploit, and OSS allows that person to be anyone. This one was found in 6 hours, by someone who wasn't on the OpenBSD team or the OpenSSH team.

    It's also why I spend (some say waste) a few idle cycles now and again just perusing code - it only takes one person to notice an anomaly. The more aggregate cycles spent reviewing code, the better the systems get.

  5. Trojaned source distributions by dzym · · Score: 5, Interesting
    So far we've seen dsniff and other programs from monkey.org trojaned, irssi, BitchX, and now OpenSSH.

    At this point I think we need to make the assumption that the problem is a bit more common than viewing these compromises individually would suggest, and perhaps these individual events can even be linked together.

    And for the developers out there, I think it's time to check over all of your current distributed source tarballs.

  6. Re:How many people do check the MD5 checksum? by stevey · · Score: 4, Interesting
    Do you check the packages downloaded from sites that you usually do not have problems with?

    I've been wondering about this - and the answer is almost certainly not.

    I've written a fairly widespread mp3/ogg streamer. I used to list MD5 sums on the download page - but recently I've switched to signing with my GPG key.

    (On the basis that if somebody altered the downloads they'd be capable of fixing up the MD5sums file in the same directory too).

    Taking a look at the download statistics you can see that about 1 person in 50 downloaded the signature file to match their archive.

    That suggests that 2% of people routinely check signatures. I assume that less people check the code than check the signatures so ... it's probably safe to say that no more than 0.5% of people do.

  7. Re:How many people do check the MD5 checksum? by zmooc · · Score: 3, Interesting

    What we need is a trusted 3rd party that has all the checksums. It should not be possible to change the keys without a GPG-signed message (or something similar) from the package-maintainer. Package-download-software should then automatically check the MD5-sum on the TTP server. Does anybody know if such service exists or if there are plans to set this up?

    --
    0x or or snor perron?!
  8. Re:How many people do check the MD5 checksum? by Quixote · · Score: 5, Interesting
    Thats what I was thinking, too.
    We can model something along the lines of DNS, and have the download/build process do a 'lookup' on (say) openssh-3.4p1.packages.net, to get the MD5 sum, and compare it with whats on hand.

    Never underestimate the power of a bunch of pissed-off nerds... :)

  9. Re:203.62.158.32 by Anonymous Coward · · Score: 5, Interesting

    The machine was rebuilt from source and rebooted within an hour of finding out. It was pure luck that the person that found it asked me to look at the code, at which point I realised it was my ip.

    Cheers,

    ^Sarge^

  10. Open Source PKI Needed? by carbon60 · · Score: 4, Interesting

    It seems like we need to start using a "web-of-trust" based PKI solution, like OpenPGP. And educating users to actually check the signatures!!!

    On a related note, does Debian use anything to prevent this from happening? I for one don't worry too much when doing an update, maybe I should...

    --

    --
    Adam Sherman
    Freelance Geek
  11. Re:Why not hack the md5 checksums? by disappear · · Score: 3, Interesting
    So, in this case, couldn't someone just as easily generate an md5 sum for the hacked file and put that in the sum file? I know on bsd you have ports which would prevent this, but what about Linux?

    This is a solved problem. Red Hat, for example, GPG signs the MD5SUM file. So you can verify that the person who created the MD5SUM was authorized to do so.

  12. Prescient Alan Cox / Theo exchange by wfrp01 · · Score: 5, Interesting

    Check out this little snippet (the whole message can be found on lwn.net) from an email from Theo:

    We've been trying to warn vendors about 3.3 and the need for privsep, but they really have not heeded our call for assistance. They have basically ignored us. Some, like Alan Cox, even went further stating that privsep was not being worked on because "Nobody provided any info which proves the problem, and many people dont trust you theo" and suggested I "might be feeding everyone a trojan" (I think I'll publish that letter -- it is just so funny).

    Please do publish that letter, Theo. That would be very interesting.

    PU

    --

    --Lawrence Lessig for Congress!
  13. I think it's okay now by hardave · · Score: 5, Interesting

    I'm one of the admins for SunSITE Alberta which houses openbsd.org. I just checked the file currently available for download and it seems to be clean. The MD5SUM matches up, as well as extracting and looking at the source bf-test wasn't present.

    This really sucks since I woke up only like 10 minutes ago and find that the most downloaded file from your site may be trojaned. I have a distinct feeling that the rest of my day isn't going to be much better.

  14. FYI: Gentoo OK by jehreg · · Score: 3, Interesting
    Gentoo is a source-only distribution. This trojan has not affected Gentoo since the MD5 digest is checked before compilation occurs. I just checked, the MD5 digest included in the "portage tree" is the correct one, and portage has detected the change.

    End result: no one in Gentoo has been able to compile/emerge openssh for the last few days.

    Which is good :-)