tcp-wrappers tarball granted remote root

In January 1999, the trusted tcp-wrappers source archive became the attack path. CERT confirmed that copies of tcp_wrappers_7.6.tar.gz had been modified by an intruder and made available through FTP distribution sites, including the Eindhoven University site that served as the primary upstream location at the time.

The delivery was ordinary FTP retrieval of version 7.6. The file name, project, and expected installation flow all looked normal. The difference was in the archive content and in the checksum, which became the reliable way to split clean source from trojaned source.

The backdoor was small. It could grant root access when an attacker connected from source port 421, and the build also sent identifying system information by email. CERT reissued the advisory on January 22 to correct the port direction, note Wietse Venema's move to a new official distribution site, and publish checksums that let administrators separate authentic source from poisoned source.

The source-port detail mattered operationally. tcp-wrappers existed to mediate network access to services, so a hidden exception in that layer inverted the product's purpose: the access-control wrapper itself became the remote root path for anyone who knew the trigger.

Motive

Unauthorized Access Control

Attribution

Person

Cause

Compromised Infrastructure

Transitive

No

Actor

Individual Hacker

• CERT Advisory CA-99.01: Trojan TCP Wrappersweb.archive.org
• Bugtraq: CERT Advisory CA-99.01 - TCP Wrappers Trojan Horseseclists.org
• Sun Managers: Break-in? / tcp-wrapperscs.toronto.edu
• FedCIRC Advisory FA-99-01: Trojan Horse Version of TCP Wrappersattrition.org
• Wikipedia: TCP Wrappers security incidenten.wikipedia.org