Re: Latest libpcap tcpdump sources from tcpdump.org contain a trojan
You are correct insofar as it triggers at compile time for libpcap, the configure script to be exact. I grabbed a copy of the trojan'ed libpcap and compiled it in a sandbox machine. You can do a strings of the compiled libpcap.a and grep for 1963. Doing so yields these results: debian:~/libpcap-0.7.1# strings libpcap.a | grep 1963 1963 not port 1963 I _didn't_ have the same result when running the command against woody's libpcap library files on my boxen. Obviously, I'm not saying that you will have the same result or that this is the only method to find the problem, etc. It worked for me though. Steve On Thu, Nov 14, 2002 at 11:37:37AM +0100, Bart-Jan Vrielink wrote: On Wed, 2002-11-13 at 20:15, Lupe Christoph wrote: Please read http://www.hlug.org/modules.php?op=modloadname=Newsfile=articlesid=6mode=threadorder=0thold=0 Is Debian affected? If I read this (and the CERT advisory) correctly, the trojan only triggers at compile time, so I don't think normal Debian users are affected, only perhaps the maintainer himself. From CA-2002-30 (CERT): II. Impact An intruder operating from (or able to impersonate) the remote address specified in the malicious code could gain unauthorized remote access to any host that compiled a version of tcpdump with this Trojan horse. The privilege level under which this malicious code would be executed would be that of the user who compiled the source code. ... any host that compiled ... means to me that the Debian packages shouldn't be affected. -- Tot ziens, Bart-Jan Vrielink -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED] -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Latest libpcap tcpdump sources from tcpdump.org contain a trojan
On Wed, 2002-11-13 at 20:15, Lupe Christoph wrote: Please read http://www.hlug.org/modules.php?op=modloadname=Newsfile=articlesid=6mode=threadorder=0thold=0 Is Debian affected? If I read this (and the CERT advisory) correctly, the trojan only triggers at compile time, so I don't think normal Debian users are affected, only perhaps the maintainer himself. From CA-2002-30 (CERT): II. Impact An intruder operating from (or able to impersonate) the remote address specified in the malicious code could gain unauthorized remote access to any host that compiled a version of tcpdump with this Trojan horse. The privilege level under which this malicious code would be executed would be that of the user who compiled the source code. ... any host that compiled ... means to me that the Debian packages shouldn't be affected. -- Tot ziens, Bart-Jan Vrielink
Re: Latest libpcap tcpdump sources from tcpdump.org contain a trojan
You are correct insofar as it triggers at compile time for libpcap, the configure script to be exact. I grabbed a copy of the trojan'ed libpcap and compiled it in a sandbox machine. You can do a strings of the compiled libpcap.a and grep for 1963. Doing so yields these results: debian:~/libpcap-0.7.1# strings libpcap.a | grep 1963 1963 not port 1963 I _didn't_ have the same result when running the command against woody's libpcap library files on my boxen. Obviously, I'm not saying that you will have the same result or that this is the only method to find the problem, etc. It worked for me though. Steve On Thu, Nov 14, 2002 at 11:37:37AM +0100, Bart-Jan Vrielink wrote: On Wed, 2002-11-13 at 20:15, Lupe Christoph wrote: Please read http://www.hlug.org/modules.php?op=modloadname=Newsfile=articlesid=6mode=threadorder=0thold=0 Is Debian affected? If I read this (and the CERT advisory) correctly, the trojan only triggers at compile time, so I don't think normal Debian users are affected, only perhaps the maintainer himself. From CA-2002-30 (CERT): II. Impact An intruder operating from (or able to impersonate) the remote address specified in the malicious code could gain unauthorized remote access to any host that compiled a version of tcpdump with this Trojan horse. The privilege level under which this malicious code would be executed would be that of the user who compiled the source code. ... any host that compiled ... means to me that the Debian packages shouldn't be affected. -- Tot ziens, Bart-Jan Vrielink -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Latest libpcap tcpdump sources from tcpdump.org contain a trojan
Steve Suehring [EMAIL PROTECTED] writes: You are correct insofar as it triggers at compile time for libpcap, the configure script to be exact. I grabbed a copy of the trojan'ed libpcap and compiled it in a sandbox machine. You can do a strings of the compiled libpcap.a and grep for 1963. Doing so yields these results: debian:~/libpcap-0.7.1# strings libpcap.a | grep 1963 1963 not port 1963 I _didn't_ have the same result when running the command against woody's libpcap library files on my boxen. Obviously, I'm not saying that you will have the same result or that this is the only method to find the problem, etc. It worked for me though. [snip] OK, this is another helpful check, thanks. I checked my boxes for one or two strings (`mash', `mars' and a switch statement in one of the reports linked off slashdot) yesterday in both the libraries and the debian/Unstable sources, also not finding any positive matches. HTreassures, ~Tim -- http://spodzone.org.uk/
Latest libpcap tcpdump sources from tcpdump.org contain a trojan
Hi! Please read http://www.hlug.org/modules.php?op=modloadname=Newsfile=articlesid=6mode=threadorder=0thold=0 Is Debian affected? Thanks, Lupe Christoph -- | [EMAIL PROTECTED] | http://www.lupe-christoph.de/ | | Big Misunderstandings #6398: The Titanic was not supposed to be| | unsinkable. The designer had a speech impediment. He said: I have | | thith great unthinkable conthept ... | -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Latest libpcap tcpdump sources from tcpdump.org contain a trojan
On Wed, Nov 13, 2002 at 08:15:58PM +0100, Lupe Christoph wrote: Is Debian affected? I checked a few hours ago, and it was not, at least the mirror I'm using. -- Lionel msg07715/pgp0.pgp Description: PGP signature
Latest libpcap tcpdump sources from tcpdump.org contain a trojan
Hi! Please read http://www.hlug.org/modules.php?op=modloadname=Newsfile=articlesid=6mode=threadorder=0thold=0 Is Debian affected? Thanks, Lupe Christoph -- | [EMAIL PROTECTED] | http://www.lupe-christoph.de/ | | Big Misunderstandings #6398: The Titanic was not supposed to be| | unsinkable. The designer had a speech impediment. He said: I have | | thith great unthinkable conthept ... |
Re: Latest libpcap tcpdump sources from tcpdump.org contain a trojan
On Wed, Nov 13, 2002 at 08:15:58PM +0100, Lupe Christoph wrote: Is Debian affected? I checked a few hours ago, and it was not, at least the mirror I'm using. -- Lionel pgpRBCwvNmdOx.pgp Description: PGP signature