Bugtraq mailing list archives
Misleading CERT Advisory CA-99-01-Trojan-TCP-Wrappers
From: jtb () THEO2 PHYSIK UNI-STUTTGART DE (Jochen Thomas Bauer)
Date: Fri, 22 Jan 1999 14:42:18 +0100
-----BEGIN PGP SIGNED MESSAGE----- Hello, The latest CERT Advisory about TCPwrappers containing a trojan horse (CA-99-01-Trojan-TCP-Wrappers) seems to be partially incorrect. CERT Advisory CA-99-01-Trojan-TCP-Wrappers: I. Description TCP Wrappers is a tool commonly used on Unix systems to monitor and filter connections to network services. [...] The Trojan horse version of TCP Wrappers provides root access to intruders on port 421. Additionally, upon compilation, this Trojan horse version sends email to an external address. [...] III. Solution [...] As with any port, if you are not using port 421, we encourage you to filter it at your network perimeter. [...] This suggests that an intruder has to connect to port 421/tcp to get a root shell and therefore access to port 421/tcp should be blocked. I guess that you have read Wietse Venema's mail that clearly states that a root shell is obtained by connecting to a service that is started by the TCPwrapper from(!) port 421.
The backdoor gives access to a privileged shell when a client connects from port 421.
So all the poeple following the CERT Advisory will probably do the wrong thing: Blocking TCP(SYN) packets with destination port 421 instead of blocking TCP(SYN) packets with source port 421 :-( Jochen Bauer -----BEGIN PGP SIGNATURE----- Version: 2.6.3i Charset: noconv iQEVAwUBNqh+UFthq5K12SiJAQFA0ggAsGtTsK17LSYlmn2swHGFWX7cGjPeSZln D0pOqU3z17FxRP+LsEspxRtSm5bGjxSpsU76XxGcViLegW9C/I2YvqhHnYRCJuE6 sicBBBkNMqp1X7V9cmeZsqOjg/yG56Do8qx00KLLon5AqwS2Ku6IChvy151sY+c5 I5IvUtiVeskR4fsCa+eS5r3LOL94K8tk6kBj1gwFqYwcbuDx2Q424q8GcSz169Pc vp9j0XenWKZ49Uu+uMAPCHkfvUZPwFfuudJK918o1jcC+3uAKEkpJPQ5Coj3J0rV p647bqQXNPEm9XnK/oUYA1Y+D9wsMdR942C00zMDKANkk70AKDXklg== =It6e -----END PGP SIGNATURE----- ------------------------------------------------- My PGP public key can be found on: http://www.theo2.physik.uni-stuttgart.de/jtb.html ------------------------------------------------- Jochen Bauer Institute for Theoretical Physics University of Stuttgart Germany
Current thread:
- Re: Nobo and Netbuster Dos, (continued)
- Re: Nobo and Netbuster Dos Flavio Veloso (Jan 21)
- Quake 2 Server Crash Leif Sawyer (Jan 20)
- NetBSD Security Advisory 1999-001: select(2)/accept(2) race D. J. Bernstein (Jan 20)
- Sendmail 8.8.x/8.9.x bugware Gregory Neil Shapiro (Jan 20)
- CFP: New Security Paradigms Workshop 1999 Crispin Cowan (Jan 21)
- Re: Sendmail 8.8.x/8.9.x bugware Phil Stracchino (Jan 21)
- Re: Sendmail 8.8.x/8.9.x bugware Phil Stracchino (Jan 21)
- linux crashes irix6.3 Philipp Schott (Jan 22)
- Re: linux crashes irix6.3 J.A. Gutierrez (Jan 23)
- CERT Advisory CA-99.01 - TCP.Wrappers (fwd) //Stany (Jan 22)
- Misleading CERT Advisory CA-99-01-Trojan-TCP-Wrappers Jochen Thomas Bauer (Jan 22)
- Follow up - IIS 4 logging mnemonix (Jan 23)
- WebRamp M3 remote network access bug John Stanley (Jan 21)
- Re: WebRamp M3 remote network access bug James Egelhof (Jan 21)
- Perl.exe and IIS security advisory mnemonix (Jan 22)
- Re: Perl.exe and IIS security advisory Tabor J. Wells (Jan 24)
- Repost: Wietse's FTP site has moved Wietse Venema (Jan 25)
- Using Example Domain Names in Exploits bandregg () REDHAT COM (Jan 25)
- IIS Advisory Update Marc (Jan 24)
- Re: backdoored tcp wrapper source code John Stange (Jan 23)