Site Compromise Software Distribution Backdoor

1990-01-01T00:00:00
ID OSVDB:14702
Type osvdb
Reporter OSVDB
Modified 1990-01-01T00:00:00

Description

Vulnerability Description

Software distributed from various sites may contain a backdoor or malicious code. The issue is due to the distribution site being compromised by an attacker who then modifies the software available to everyone else. By placing a backdoor or other malicious code in the software package, any subsequent downloads may pose a risk to administrators who choose to install the software. This type of attack is extremely difficult to counter against given the nature of the internet.

In the past, several sites have experienced such an attack. The list included contains known occurances but is far from inclusive. The only way to really prevent such attacks is consistantly check the site for news of such attacks and continue to check MD5 sums for all downloads (even though they can be trivially forged under such a scenario).

Technical Description

A list of sites or software distributions known to have been compromised or altered to contain a backdoor or suspect code:

  • util-linux 2.9g (Jan 1999)
  • wuarchive ftpd (wuftpd) 2.2 and 2.1f (Apr 1994)
  • cs-pub.bu.edu IRC clients (summer 1994)
  • IRC client (ircII) ircII 2.2.9 (Oct 1994)
  • TCP Wrappers 7.6 (Jan 1999)
  • apache.org (May 2001)
  • sourceforge.net (May 2001)
  • libpcap (Nov 2002)
  • tcpdump (Nov 2002)
  • OpenSSH 3.4p1 (Aug 2002)
  • gnuftp.gnu.org (Mar 2003)
  • linux kernel 2.6-test9-CVS on kernel.bkbits.net (Nov 2003)
  • jabber.org (Feb 2005)

Solution Description

Upgrade to the latest version deemed safe by the site administrator. It is essential that previous versions be completely removed before the new version is installed to guarantee integrity.

Short Description

Software distributed from various sites may contain a backdoor or malicious code. The issue is due to the distribution site being compromised by an attacker who then modifies the software available to everyone else. By placing a backdoor or other malicious code in the software package, any subsequent downloads may pose a risk to administrators who choose to install the software. This type of attack is extremely difficult to counter against given the nature of the internet.

In the past, several sites have experienced such an attack. The list included contains known occurances but is far from inclusive. The only way to really prevent such attacks is consistantly check the site for news of such attacks and continue to check MD5 sums for all downloads (even though they can be trivially forged under such a scenario).

References:

Mail List Post: http://marc.theaimsgroup.com/?l=bugtraq&m=102820843403741&w=2 Mail List Post: http://marc.theaimsgroup.com/?l=bugtraq&m=102821663814127&w=2 Mail List Post: http://marc.theaimsgroup.com/?l=bugtraq&m=103722456708471&w=2 Mail List Post: http://archives.neohapsis.com/archives/bugtraq/1994_4/0150.html ISS X-Force ID: 9763 Generic Informational URL: http://www.theregister.co.uk/2003/08/27/gnu_servers_owned_by_crackers/ Generic Informational URL: http://www.theregister.co.uk/2001/05/31/cowboy_cracker_nails_apache/ Generic Informational URL: http://www.theregister.co.uk/2005/02/02/jabber_attack/ CVE-2003-1161 CVE-1999-0661 CERT: CA-1999-02 CERT: CA-1994-14 CERT: CA-1999-01 CERT: CA-2003-21 CERT: CA-2002-30 CERT: CA-1994-07 Bugtraq ID: 8987 Bugtraq ID: 5374