Security

Trojan compromises GNU software downloads

The GNU Project has discovered that its servers were compromised by a Trojan horse in mid-March. This edition of The Locksmith explains how this may have contaminated software downloads from that popular open source site.

In a disclosure that should send a lot of managers back to the drawing board for a careful reexamination of their code, the GNU Project has informed CERT that its primary FTP server, gnuftp.gnu.org (including its aliases, ftp.gnu.org and alpha.gnu.org), was compromised at the root level in mid-March. The attacker planted a Trojan, which wasn't discovered for several months.

Although the Free Software Foundation (FSF) announcement indicated that the Trojan was intended only to gather passwords, it is remotely possible that the hacker may have compromised some of the downloadable code with back doors, Trojans, and viruses or committed some other mischief. Therefore, any organization that has downloaded open source software through this popular FTP site in the intervening months may need to check that software for Trojans, back doors, spyware, and other potentially malicious code.

Details
The FSF bulletin stated, "After substantial investigation, we don't believe that any GNU source has been compromised. To be extra-careful, we are verifying known, trusted secure checksums of all files before putting them back on the FTP site. That process began on 2003-08-02 and is ongoing."

During the last week of July, the FSF discovered that its main FTP server, gnuftp.gnu.org, had suffered a root compromise in March, and that a Trojan horse was planted on that server. According to the FSF, "The modus operandi of the cracker shows that (s)he was interested primarily in using gnuftp to collect passwords and as a launching point to attack other machines. It appears that the machine was cracked using a ptrace exploit by a local user immediately after the exploit was posted."

This may or may not be a big deal for administrators. It's tricky to determine how significant this is because it's difficult to know what the hacker did and didn't do over a period of several months without looking at every line of code that has been available during that time.

Ultimately, everyone who downloaded any GNU files in the past several months will have to examine their own code to look for any malicious elements. Keep in mind that you could also have downloaded some of this software from another site that simply linked to the GNU Project FTP servers, so you should go back and check any links.

If the hacker didn't plant any time bombs, this is probably a minor problem for administrators—with the caveat that it will waste some of their limited time. It also raises serious questions about the level of security at GNU if a Trojan could exist undetected on its server for several months.

Lists of the hash code necessary to verify the integrity of files have been made available by the FSF at two locations: GNU and Alpha GNU. See the CERT Advisory CA-2003-21 and gnu.org for any late-breaking details and reports of any actual compromised code that may be discovered.

Final word
It's bad enough that the GNU server was penetrated, but allowing a Trojan to be installed undetected on such an important server for several months seems somewhat careless. Regardless of whether the hacker actually modified any code, this is a bit of a black eye for open source software. The attacker could have done an incredible amount of damage by having a Trojan run undetected for all that time.

Of course, mistakes do happen, and I feel certain that FSF is reexamining its security procedures; at least they have been forthcoming about the issue.

Also watch out for…
  • SuSE has released a vulnerability fix announcement on BugTraq covering the following issues on a number of kernel versions: a possible denial of service attack (DoS) in the routing code; a possible attack of an unprivileged user via ioport; a rebinding problem of UDP port 2049 (NFS) sockets; a kernel panic with pptpd when mss > mtu; a console redirect bug; the execve() file read race vulnerability; several race conditions in procfs; possible DoS in netfilter code; possible DoS in NFSv3 code.
  • A vulnerability in Solaris 9 can allow unauthorized root access to the server. Although Sun doesn't cite a Mitre CVE code for this vulnerability, it appears to be the same problem I covered last week (CVE CAN-2003-0466). According to the Sun Alert Notification #56121, the problem applies to Solaris 9 in.ftpd(1M) Server. This is an off-by-one bug as discussed in iSEC Advisory isec-0011-wu-ftpd and can be exploited by either a local or remote attacker to gain root access to the server. According to iSEC, this problem also exists in Linux systems running the 2.4.19 Kernel. Sun has posted some workarounds but had not yet produced a patch at the time of this writing.



0 comments