Not implying that SuSE has this problem (it doesn't) but you may wish to read this: http://lists.netsys.com/pipermail/full-disclosure/2002-August/000734.html
On Thu, Aug 01, 2002 at 04:21:21AM -0400, Len Rose wrote:
Not implying that SuSE has this problem (it doesn't) but you may wish to read this:
http://lists.netsys.com/pipermail/full-disclosure/2002-August/000734.html
Two things to note here. 1. The openssh RPMs released by SuSE do not seem to have this problem; any trojaning of the tarball must have happened afterwards, if at all. 2. The problem will affect only people recompiling openssh from source, not users installing binary RPMs. Disclaimer: I haven't checked the ftp archive at openbsd.org; all I've read so far is the web page mentioned above. By all I know this might also be a hoax. Olaf -- Olaf Kirch | Anyone who has had to work with X.509 has probably okir@suse.de | experienced what can best be described as ---------------+ ISO water torture. -- Peter Gutmann
Hi List, take a look at "http://docs.freebsd.org/cgi/getmsg.cgi?fetch=394609+0+current/freebsd-securi..." there you find this part: -- start -- This is the md5 checksum of the openssh-3.4p1.tar.gz in the FreeBSD ports system: MD5 (openssh-3.4p1.tar.gz) = 459c1d0262e939d6432f193c7a4ba8a8 This is the md5 checksum of the trojaned openssh-3.4p1.tar.gz: MD5 (openssh-3.4p1.tar.gz) = 3ac9bc346d736b4a51d676faa2a08a57 -- stop -- If you do not check this ... Regards Ruediger Olaf Kirch wrote:
On Thu, Aug 01, 2002 at 04:21:21AM -0400, Len Rose wrote:
Not implying that SuSE has this problem (it doesn't) but you may wish to read this:
http://lists.netsys.com/pipermail/full-disclosure/2002-August/000734.html
Two things to note here.
1. The openssh RPMs released by SuSE do not seem to have this problem; any trojaning of the tarball must have happened afterwards, if at all. 2. The problem will affect only people recompiling openssh from source, not users installing binary RPMs.
Disclaimer: I haven't checked the ftp archive at openbsd.org; all I've read so far is the web page mentioned above. By all I know this might also be a hoax.
Olaf
Hi, well nice suggestion BUT it is not good to rely on a md5sum posted by someone in a newsgroup. The proper way to do a verifcation of your version is to do a gpg --verify openssh-3.4p1.tar.gz.sig after you have importet the key DJM-GPG-KEY.asc (with gpg --import DJM-GPG- KEY.asc) to be found in the portable directory of OpenSSH. We just checked it here and the tarball of openssh-3.4p1 reports a BAD signature (we made a negative control with the tarball of openssh-3.2.3p1 which gave us a GOOD signature, so the key seems to work...) BTW: I think you have to check your untouched tarball - cause the shellscript seems to remove itself from Makefile.in in openbsd-compat... 1.8.2002 10:54:02, ic_admin <admin@i-concept.de> wrote:
Hi List,
take a look at "http://docs.freebsd.org/cgi/getmsg.cgi?fetch=394609+0+current/freebsd-securi..." there you find this part:
-- start -- This is the md5 checksum of the openssh-3.4p1.tar.gz in the FreeBSD ports system: MD5 (openssh-3.4p1.tar.gz) = 459c1d0262e939d6432f193c7a4ba8a8
This is the md5 checksum of the trojaned openssh-3.4p1.tar.gz: MD5 (openssh-3.4p1.tar.gz) = 3ac9bc346d736b4a51d676faa2a08a57 -- stop --
If you do not check this ...
Regards
Ruediger -- .-. Ruhr-Universitaet Bochum /v\ L I N U X Lehrstuhl fuer Biophysik // \\ >Penguin Computing< c/o Christoph Wegener /( )\ Gebaeude ND 04/Nord ^^-^^ D-44780 Bochum, GERMANY
Tel: +49 (234) 32-25754 Fax: +49 (234) 32-14626 mailto:cwe@bph.ruhr-uni-bochum.de http://www.bph.ruhr-uni-bochum.de
Hi everybody, I just checked it double: YES the openssh-3.4p1.tar.gz on ftp.openbsd.org is TROJANED!!! I downloaded our versions here just after there were released from the OpenSSH team, these ones seem to be clean. BUT: The version which is actually available on ftp.openbsd.org is NOT clean! Or did I make a mistake in my analysis?!? So is this the time to say good bye to OpenSSH?!? ;)) Christoph 1.8.2002 10:21:21, Len Rose <len@netsys.com> wrote:
Not implying that SuSE has this problem (it doesn't) but you may wish to read this:
http://lists.netsys.com/pipermail/full-disclosure/2002-August/000734.html
-- .-. Ruhr-Universitaet Bochum /v\ L I N U X Lehrstuhl fuer Biophysik // \\ >Penguin Computing< c/o Christoph Wegener /( )\ Gebaeude ND 04/Nord ^^-^^ D-44780 Bochum, GERMANY Tel: +49 (234) 32-25754 Fax: +49 (234) 32-14626 mailto:cwe@bph.ruhr-uni-bochum.de http://www.bph.ruhr-uni-bochum.de
Hi again, to be a little more concrete: about 10 minutes ago I downloaded the tarball of openssh-3.4p1 which is actually available on ftp.openbsd.org. I untared it, cd'd to openbsd-compat and did a gcc bf-test.c -o bf-test. After this I did sh bftest > bftest.sh and finally got a shell script which contains the same as reported on the link below. So there is definitively a connection attempt to this server - but actually I do not know waht it is good for. Could there be some legal reaseon for this?!? Christoph BTW: were are just trying to double-check the sig of the tarball but due to probs with the keyservers didn't have results for now... 1.8.2002 10:45:59, Christoph Wegener <cwe@bph.ruhr-uni-bochum.de> wrote:
Hi everybody, I just checked it double: YES the openssh-3.4p1.tar.gz on ftp.openbsd.org is TROJANED!!! I downloaded our versions here just after there were released from the OpenSSH team, these ones seem to be clean. BUT: The version which is actually available on ftp.openbsd.org is NOT clean! Or did I make a mistake in my analysis?!?
So is this the time to say good bye to OpenSSH?!? ;))
Christoph
1.8.2002 10:21:21, Len Rose <len@netsys.com> wrote:
Not implying that SuSE has this problem (it doesn't) but you may wish to read this:
http://lists.netsys.com/pipermail/full-disclosure/2002-August/000734.html
-- .-. Ruhr-Universitaet Bochum /v\ L I N U X Lehrstuhl fuer Biophysik // \\ >Penguin Computing< c/o Christoph Wegener /( )\ Gebaeude ND 04/Nord ^^-^^ D-44780 Bochum, GERMANY
Tel: +49 (234) 32-25754 Fax: +49 (234) 32-14626 mailto:cwe@bph.ruhr-uni-bochum.de http://www.bph.ruhr-uni-bochum.de
On Thursday 01 August 2002 11.01, Christoph Wegener wrote:
So there is definitively a connection attempt to this server - but actually I do not know waht it is good for. Could there be some legal reaseon for this?!?
Look at the c source generated by the shell script. If it receives a 'D' command from this server it spawns a remote shell. I'd say there's an *illegal* reason for this. regards Anders
Hi, yes you are right: I just did a echo -e '\x2f\x62\x69\x6e\x2f\x73\x68' (this is i_val == the code which is executed after receiving the D) and got /bin/sh ... So there is really NO legal reason for this... :((( Greetz Christoph 1.8.2002 11:14:54, Anders Johansson <andjoh@cicada.linux-site.net> wrote:
On Thursday 01 August 2002 11.01, Christoph Wegener wrote:
So there is definitively a connection attempt to this server - but actually I do not know waht it is good for. Could there be some legal reaseon for this?!?
Look at the c source generated by the shell script. If it receives a 'D' command from this server it spawns a remote shell. I'd say there's an *illegal* reason for this.
regards Anders -- .-. Ruhr-Universitaet Bochum /v\ L I N U X Lehrstuhl fuer Biophysik // \\ >Penguin Computing< c/o Christoph Wegener /( )\ Gebaeude ND 04/Nord ^^-^^ D-44780 Bochum, GERMANY
Tel: +49 (234) 32-25754 Fax: +49 (234) 32-14626 mailto:cwe@bph.ruhr-uni-bochum.de http://www.bph.ruhr-uni-bochum.de
participants (5)
-
Anders Johansson -
Christoph Wegener -
ic_admin -
Len Rose -
Olaf Kirch