A day after warning of multiple
vulnerabilities in the OpenSSL protocol, the CERT Coordination Center
(CERT/CC) issued an alert that some copies of the source code for the
OpenSSH package contain a Trojan horse.
The security outfit warned that an unknown intruder modified files in the
openssh-3.4p1.tar.gz, openssh-3.4.tgz and openssh-3.2.2p1.tar.gz to include
malicious code and warned that mirrors of the OpenSSH download may be
compromised. The main openBSD mirror was
trojaned.
“We strongly encourage sites which employ, redistribute, or mirror the
OpenSSH package to immediately verify the integrity of their distribution,”
CERT/CC said in the advisory.
Developers on security message
boards say the malicious code does not appear sophisticated but could be
remotely programmed to give intruders root access machines.
“When building the OpenSSH binaries, the trojan resides in bf-test.c and
causes code to execute which connects to a specified IP address. The
destination port is normally used by the IRC protocol. A connection attempt
is made once an hour. If the connection is successful, arbitrary commands
may be executed,” the group warned.
It is the second major bug found in OpenSSH in the last few months. In June,
serious
flaws were found and fixed in versions 2.3.1p1 through 3.3 of the
open-source tool, which is used by developers as a secure alternative to
Telnet Rlogin, Rsh, and FTP.
The malicious files appear to have been placed on the FTP server which hosts
ftp.openssh.com and ftp.openbsd.org between July 30 or 31, almost two
full days before the OpenSSH development team could replace the Trojan horse
copies with the original, uncompromised versions. That means the Trojan
horse copy of the source code was available long enough for copies to
propagate to sites that mirror the OpenSSH site, CERT warned.
“The Trojan horse versions of OpenSSH contain malicious code that is run
when the software is compiled. This code connects to a fixed remote server
on 6667/tcp. It can then open a shell running as the user who compiled
OpenSSH,” the Center said.
OpenSSH users are urged to go to the primary distribution site for the
software at OpenSSH.com.