[9170] in bugtraq
Misleading CERT Advisory CA-99-01-Trojan-TCP-Wrappers
daemon@ATHENA.MIT.EDU (Jochen Thomas Bauer)
Fri Jan 22 12:59:25 1999
Date: Fri, 22 Jan 1999 14:42:18 +0100
Reply-To: Jochen Thomas Bauer <jtb@THEO2.PHYSIK.UNI-STUTTGART.DE>
From: Jochen Thomas Bauer <jtb@THEO2.PHYSIK.UNI-STUTTGART.DE>
To: BUGTRAQ@NETSPACE.ORG
-----BEGIN PGP SIGNED MESSAGE-----
Hello,
The latest CERT Advisory about TCPwrappers containing a trojan horse
(CA-99-01-Trojan-TCP-Wrappers) seems to be partially incorrect.
CERT Advisory CA-99-01-Trojan-TCP-Wrappers:
I. Description
TCP Wrappers is a tool commonly used on Unix systems to monitor and
filter connections to network services.
[...]
The Trojan horse version of TCP Wrappers provides root access to
intruders on port 421. Additionally, upon compilation, this Trojan
horse version sends email to an external address.
[...]
III. Solution
[...]
As with any port, if you are not using port 421, we encourage you to
filter it at your network perimeter.
[...]
This suggests that an intruder has to connect to port 421/tcp to get a
root shell and therefore access to port 421/tcp should be blocked.
I guess that you have read Wietse Venema's mail that clearly states that
a root shell is obtained by connecting to a service that is started by
the TCPwrapper from(!) port 421.
>The backdoor gives access to a privileged shell when a client
>connects from port 421.
So all the poeple following the CERT Advisory will probably do the wrong
thing: Blocking TCP(SYN) packets with destination port 421 instead of
blocking TCP(SYN) packets with source port 421 :-(
Jochen Bauer
-----BEGIN PGP SIGNATURE-----
Version: 2.6.3i
Charset: noconv
iQEVAwUBNqh+UFthq5K12SiJAQFA0ggAsGtTsK17LSYlmn2swHGFWX7cGjPeSZln
D0pOqU3z17FxRP+LsEspxRtSm5bGjxSpsU76XxGcViLegW9C/I2YvqhHnYRCJuE6
sicBBBkNMqp1X7V9cmeZsqOjg/yG56Do8qx00KLLon5AqwS2Ku6IChvy151sY+c5
I5IvUtiVeskR4fsCa+eS5r3LOL94K8tk6kBj1gwFqYwcbuDx2Q424q8GcSz169Pc
vp9j0XenWKZ49Uu+uMAPCHkfvUZPwFfuudJK918o1jcC+3uAKEkpJPQ5Coj3J0rV
p647bqQXNPEm9XnK/oUYA1Y+D9wsMdR942C00zMDKANkk70AKDXklg==
=It6e
-----END PGP SIGNATURE-----
-------------------------------------------------
My PGP public key can be found on:
http://www.theo2.physik.uni-stuttgart.de/jtb.html
-------------------------------------------------
Jochen Bauer
Institute for Theoretical Physics
University of Stuttgart
Germany
