Every now and then, the news talk about some Open Source software package that has been compromised (as in backdoored: tampered to include code or functionality that opens its users to abuse from third-parties). A few days ago it was SquirrelMail, in March it was the massively extended Wordpress blogging software.
- Hackers plant backdoor in blogging software, at The Register
- Intruder adds back door to WordPress blog software, at ZDNet
- WordPress Distribution Compromised, Update Released, at Netcraft
- Attacker adds backdoor to WordPress blog software, at ITWire
sys_wait4() function, which allowed privilege escalation to gain root level access. Debian, GNU Project and Gentoo servers and distribution sites have been targets of successful attacks, and the CVS project server was attacked in 2004. Recently, Ubuntu community-hosted servers were compromised as well.
In 2002, IRSSI (the IRC client) and several network security tools hosted at Monkey.org were modified to contain backdoors that activated during compilation time.
All your base are belong to us.Some languages are more prone to be subtly manipulated for implementing hostile functionality: C conditional statements and variable assignment, incorrect use of operators... in PHP we have the
preg_replace function and other possibilities. Also some object oriented languages allow class methods and functions to be intercepted easily, like Objective-C.
In the Linux kernel case, it could have been well identified as a typo. The fact that there are sophisticated attackers out there, who inspect and dive into the target before making the definitive move, is certainly not a common threat. In the words of the BitMover founder, Larry McVoy (in an article for SecurityFocus):
"Whoever did this knew what they were doing. They had to find some flags that could be passed to the system without causing an error, and yet are not normally passed together... There isn't any way that somebody could casually come in, not know about UNIX, not know the Linux kernel code, and make this change. Not a chance."The security industry itself is normally driven by trends, and nowadays the trend is about defacements, unsophisticated attacks and propaganda tools. The real threats aren't botnets or Brazilian defacement script-kiddies. One of the main disadvantages that affect open source projects, is the fact that their development resources are far more exposed than those of proprietary vendors. It's easy to audit the software powering their version controlled repository, their issue and bug tracking application, their mail server daemon (hopefully it's Qmail!), etc. While closed source applications are also exposed in other manners, an open source project depends entirely on an open development model which has its own (security) weaknesses. There's no real way to enforce legal obligations and rights for each developer (the insider threat: a rogue developer adding a backdoor himself), without making agreements and other paperwork effective.
Leave a comment