OpenSSH Trojan

Matthias Benkmann matthias at winterdrache.de
Thu Aug 1 11:18:12 PDT 2002


On Thu, 1 Aug 2002 19:54:48 +0200 Matthias Benkmann
<matthias at winterdrache.de> wrote:

> Security advisory is at 
> 
> http://www.openssh.org/txt/trojan.adv

>From the advisory:

> The trojan allows the attacker to gain control of the system as the
> user compiling the binary.

Lesson to learn: NEVER EVER build as root. A user of the more control hint
would have been relatively safe even when installing a trojaned OpenSSH.
The attacker could gain access to the ssh account but that does not give
him the ability to change system files. If you change ssh and sshd to
setuid root and chown /etc/ssh to root the attacker could not even modify
ssh related files or read your system's private key because the backdoor
doesn't have root access. The worst he could do would be to create
dangerous binaries in /bin but these could not overwrite existing binaries
and they would be owned by the ssh package user so they'd be easy to spot
and remove. So even though the package user hint does not give perfect
security (if a trojan is put in the actual C source, all bets are off) it
does increase security. To quote from the hint:

"It is a mystery why Unix admins who wouldn't even trust their employer
with more than a normal user account carelessly execute complex and
incomprehensible installation scripts with full root rights."

MSB

-- 
goto doesn't screw up programs.
Programmers screw up programs.

-- 
Unsubscribe: send email to listar at linuxfromscratch.org
and put 'unsubscribe lfs-security' in the subject header of the message



More information about the lfs-security mailing list