Original issue date: November 13, 2002<br>
Last revised: -- <br>
Source: CERT/CC<br>

<p>A complete revision history is at the end of this file.</p>

<h2>Overview</h2>

<p>The CERT/CC has received reports that several of the released
source code distributions of the libpcap and tcpdump packages were 
modified by an intruder and contain a Trojan horse.</p>

<p>We strongly encourage sites that use, redistribute, or mirror
the libpcap or tcpdump packages to immediately verify the integrity of their
distribution.</p>

<h2>I. Description</h2>

<p>The CERT/CC has received reports that some copies of the
source code for libpcap, a packet acquisition library, and 
tcpdump, a network sniffer, have been modified by an intruder
and contain a Trojan horse.  

<p>The following distributions were modified to include the 
   malicious code:</p>

<blockquote>
<b>tcpdump</b><br>
<blockquote>
<font face="courier" size="-1">
     md5sum 3a1c2dd3471486f9c7df87029bf2f1e9  tcpdump-3.6.2.tar.gz
  <p>md5sum 3c410d8434e63fb3931fe77328e4dd88  tcpdump-3.7.1.tar.gz</p>
</font>
</blockquote>
<b>libpcap</b><br>
<blockquote>
<font face="courier" size="-1">
  md5sum 73ba7af963aff7c9e23fa1308a793dca  libpcap-0.7.1.tar.gz<br>
</font>
</blockquote>
</blockquote>

<p>These modified distributions began to appear in downloads from the
HTTP server www.tcpdump.org on or around Nov 11 2002 10:14:00 GMT.
The tcpdump development team disabled download of the distributions
containing the Trojan horse on Nov 13 2002 15:05:19 GMT.  However, the
availability of these distributions from mirror sites is unknown.  At
this time, it does not appear that related projects such as WinPcap
and WinDump contain this Trojan horse.</p>

<p>The Trojan horse version of the tcpdump source code distribution contains 
malicious code that is run when the software is compiled. 
This code, executed from the tcpdump <font face="courier">configure</font>
script, will attempt to connect (via wget, lynx, or fetch) to port 80/tcp
on a fixed hostname in order to download a shell script named
<font face="courier">services</font>.  In turn, this downloaded shell 
script is executed to generate a C file 
(<font face="courier">conftes.c</FONT>), which is subsequently compiled and run.</p>

<p>When executed, <font face="courier">conftes.c</FONT> makes
an outbound connection to a fixed IP address (corresponding to the
fixed hostname used in the <font face="courier">configure</font>
script) on port 1963/tcp and
reads a single byte.  Three possible values for this downloaded
byte are checked, each causing <font face="courier">conftes.c</FONT>
to respond in different ways:</p>
<ul>
  <li><b>'A'</b> will cause the Trojan horse to exit</li>
  <li><b>'D'</b> will cause the Trojan to fork itself, spawn a shell,
                 and redirect this shell to the connected IP address
                 (Note that communication to and from this shell is
                 obfuscated by XORing all bytes with the constant 0x89.)</li>
  <li><b>'M'</b> will cause the Trojan horse to close the connection
                 and sleep for 3600 seconds</li>
</ul>

To mask the activity of this Trojan horse in tcpdump, 
libpcap, the underlying packet-capture library of tcpdump, has been modified 
(<font face="courier">gencode.c</font>) to explicitly ignore 
all traffic on port 1963 
(i.e., a BPF expression of <font face="courier">"not port 1963"</font>).

<h2>II. Impact</h2>

<p>An intruder operating from (or able to impersonate) the remote
address specified in the malicious code could gain unauthorized remote
access to any host that compiled a version of tcpdump with 
this Trojan horse.  The privilege level under which this malicious code 
would be executed would be that of the user who compiled the source code.</p>

<h2>III. Solution</h2>

<p>We encourage sites using libpcap and tcpdump to
verify the authenticity of their distribution, regardless of where 
it was obtained.  

<h4>Where to get libpcap and tcpdump</H4>

<p>While the compromise of these distributions is being investigated, the
tcpdump and libpcap maintainers recommend using the following 
distribution sites:</p>

<dl>
<dd>
<a href="http://sourceforge.net/projects/tcpdump/">http://sourceforge.net/projects/tcpdump/</a>
</dd>
<dd>
<a href="http://sourceforge.net/projects/libpcap/">http://sourceforge.net/projects/libpcap/</a>
</dd>
</dl>

<p>Sites that mirror the source code are encouraged to verify
the integrity of their sources.  We also encourage users to inspect any
and all other software that may have been downloaded from the
compromised site.  Note that it is not sufficient to rely on the
timestamps or sizes of the file when trying to determine whether or
not you have a copy of the Trojan horse version.</p>

<h4>Verifying checksums</h4>
<p>The MD5 hashes of the vendor suggested updates for libpcap and
tcpdump are as follows:</p>

<blockquote>
<b>tcpdump</b><br>
<font face="courier">
<blockquote>md5sum 03e5eac68c65b7e6ce8da03b0b0b225e  tcpdump-3.7.1.tar.gz</blockquote><br>
</font>
<b>libpcap</b><br>
<font face="courier">
<blockquote>md5sum 0597c23e3496a5c108097b2a0f1bd0c7  libpcap-0.7.1.tar.gz</blockquote><br>
</font>
</blockquote>

<p>As a matter of good security practice, the CERT/CC encourages users
to verify, whenever possible, the integrity of downloaded software.
For more information, see
<dl><dd>
<a href="http://www.cert.org/incident_notes/IN-2001-06.html">http://www.cert.org/incident_notes/IN-2001-06.html</a>
</dl>

<a name="vendors"></a>
<h2>Appendix A. - Vendor Information</h2>

   <p>

     This appendix contains information provided by vendors for this
     advisory.  As vendors report new information to the CERT/CC, we
     will update this section and note the changes in our revision
     history.  If a particular vendor is not listed below, we have not
     received their comments.
   </p>

<p>
<a name="conectiva"></a>
<h4><a href="http://www.conectiva.com/">Conectiva</a></h4>
<blockquote>
We have checked all our released libpcap and tcpdump packages and confirmed 
that they do not contain the trojan code.
</blockquote>
</p>

<p>
<a name="Debian"></a>
<h4><a href="http://www.debian.org/">Debian</a></h4>
<blockquote>
Problematic packages are only distributed in Debian/unstable.  I have
examined both source packages and they did not contain the trojan
code the HLUG reported on their web page.  Hence, I guess that Debian
distributes safe source.
</blockquote>
</p>

<p>
<a name="montavista"></a>
<h4><a href="http://www.mvista.com/">MontaVista Software, Inc.</a></h4>
<blockquote>
We have examined our sources, and our software does not contain this 
trojan.  We are not vulnerable to this advisory.
</blockquote>
</p>

<p>
<a name="suse"></a>
<h4><a href="http://www.suse.com/">SuSE</a></h4>
<blockquote>
SuSE Linux products are not vulnerable.
</blockquote>
</p>


<!-- end vendor -->


<hr noshade>
<p>
Feedback can be directed to the author: 
<a href="mailto:cert@cert.org?subject=CA-2002-30%20Feedback%20CERT%2331289">Roman Danyliw, Chad Dougherty</a>.
</p>


<!--#include virtual="/include/footer_nocopyright.html" -->

<p>Copyright 2002 Carnegie Mellon University.</p>

<p>Revision History
<pre>
November 13, 2002: Initial release
</pre>
</p>