Re: OpenSSH Security Advisory: Trojaned Distribution Files

[Ben Goren <ben@trumpetpower.com>]

On Thu, Aug 01, 2002 at 01:19:21PM -0400, Nick Holland wrote:

> If you want to help, look at  the source on the CD.  Look at the
> source on the current CVS  repositories.  Look for anything that
> changed in a bad way.  Yes, that's a biiiig task.

I'll  start by  saying  that  what follows  is  less than  ideally
helpful. If  it  weren't  for  the current  situation  I  wouldn't
mention it  at all, and it's  not a request for  help. It's just a
data point, and not a particularly pure one at that.

Yesterday--it  would  have been  after  the  time the  files  were
trojaned  and  before  they  were replaced--I  started  the  whole
release process  to have a  nice set  of binaries with  the latest
round  of patches  applied. I  wiped  the hard  drive  on a  spare
(i386)  machine,  did  a  default  install (i.e.,  no  X)  of  3.1
from  an  official  CD  set,   and  did  an  ``echo  sshd_flags=NO
>  /mnt/etc/rc.conf.local''  before leaving  the  installer. After
reboot,  I  copied  the  src  from   CD3,  did  a  ``cvs  up  -PAd
-rOPENBSD_3_1''  with CVSROOT=anoncvs.openbsd.org. I  built a  new
(GENERIC) kernel (I think the result  had the same number of bytes
as the  original). After reboot,  sudo wouldn't  work, complaining
that it wasn't  suid 0. It was--the permissions  were identical to
the  original. When plain  ol'  su wouldn't  work either--I  don't
recall exactly why--I grumbled to  myself that I must have screwed
something up, and started over again.

As  I was  doing the  re-install, it  occured to  me that  perhaps
-STABLE  introduced some  changes  that makes  the -STABLE  kernel
incompatible with the  -RELEASE sudo and su. I  don't see anything
in the patches that would indicate such a case, and I don't recall
seeing anything anywhere to that effect. A  week or two ago, I did
the same process and got a  nice home-brewed release out of it, no
troubles and everything right as rain.

I didn't have time to do much of anything else to the machine, and
I'm  currently  planning  on  waiting  'til  further  notice  that
everything's clean.

Let  me again  stress:  this is  hardly scientific. It's  entirely
possible I could have screwed  something up--it wouldn't have been
the first time. I could also have overlooked something saying that
all  this is  to  be  expected--it wouldn't  have  been the  first
time  for that,  either. I don't  have  any reason  to think  that
what  happened  was  my  fault,  other than  that  that's  a  more
logical conclusion  than the alternatives. Under nearly  any other
circumstances I  wouldn't even think of  mentioning something like
this.

Still,  if  others  have  experienced this  or  can  reproduce  it
*and*  it's not  expected  behaviour, it  *may*  be worth  further
investigation.

Cheers,

b&

--
Ben Goren
 mailto:ben@trumpetpower.com
 http://www.trumpetpower.com/
 icbm:33o25'37"N_111o57'32"W

[demime 0.98d removed an attachment of type application/pgp-signature]