Hey all,
So, I have been running linux for a couple years now. Definitely not an expert or anything, and continuing to learn more and more as days go by. I came across something interesting in the "android-tools-adb" package that raised some questions... First, I'll explain what got me looking into it in the first place. And next I'll go into a little more detail in regards to what i've found in the "/usr/bin/adb" binary.
// Running Distro and Info
Code:
Distro: Linux Mint 17.3
Kernel: 4.4.0-47-generic
// Where and Why i started investigation everything. Noticed every single time I ssh into my computer
// the following appears in the "/var/log/auth.log" (may not be an issue, like i said. still learning)
// Some Things to Note:
- 'linux01' (computer in question) sshd is listening on port 2222. Not default port 22
- 'linux01' sshd_config has 'LogLevel VERBOSE' set
- ssh'ing from my laptop (linux02) which runs Linux Mint 18 with 2 private keys in my ssh-agent
- Have checked fingerprints for private keys on laptop
- Have checked fingerprints for public keys in 'authorized_keys' for 'user01' on 'linux01'
- None of these fingerprints match the fingerprint that fails in the log below
- Fingerprints have been replaced with dummy fingerprints in log below. (AA:AA fails. BB:BB succeeds)
// I should also note, that I used the following commands to check the fingerprint for the keys.
Code:
$ ssh-keygen -lf <key_here>
$ cat /var/log/auth.log
Code:
Dec 4 10:54:12 linux01 sshd[4380]: Set /proc/self/oom_score_adj to 0
Dec 4 10:54:12 linux01 sshd[4380]: Connection from 10.0.1.29 port 37190 on 10.0.1.3 port 2222
Dec 4 10:54:12 linux01 sshd[4380]: Failed publickey for user01 from 10.0.1.29 port 37190 ssh2: RSA AA:AA:AA:AA
Dec 4 10:54:12 linux01 sshd[4380]: Postponed publickey for user01 from 10.0.1.29 port 37190 ssh2 [preauth]
Dec 4 10:54:12 linux01 sshd[4380]: Accepted publickey for user01 from 10.0.1.29 port 37190 ssh2: RSA BB:BB:BB:BB
Dec 4 10:54:12 linux01 sshd[4380]: pam_unix(sshd:session): session opened for user user01 by (uid=0)
Dec 4 10:54:12 linux01 sshd[4380]: User child is on pid 4391
Dec 4 10:54:12 linux01 sshd[4391]: Starting session: shell on pts/3 for user01 from 10.0.1.29 port 37190
// After not being able to find a match for the key. I decided to look further into some other things. like running debsums
// Sure enough, '/usr/bin/adb' was the first one on the list
// Next Steps Taken:
- run debsums to verify packages
- diagnose '/usr/bin/adb' package. find out why it's failing debsums
// Things found in debsums
$ sudo debsums -as
Code:
debsums: changed file /usr/bin/adb (from android-tools-adb package)
debsums: changed file /etc/legal (from base-files package)
debsums: changed file /etc/issue (from base-files package)
debsums: changed file /etc/lsb-release (from base-files package)
debsums: changed file /etc/update-motd.d/10-help-text (from base-files package)
debsums: changed file /etc/issue.net (from base-files package)
debsums: changed file /etc/bash.bashrc (from bash package)
debsums: missing file /etc/skel/.bashrc (from bash package)
debsums: changed file /etc/casper.conf (from casper package)
debsums: changed file /etc/default/cups (from cups-daemon package)
debsums: changed file /usr/share/cups/data/default-testpage.pdf (from cups-filters package)
debsums: changed file /etc/gnome/defaults.list (from desktop-file-utils package)
debsums: changed file /usr/share/applications/evince.desktop (from evince-common package)
debsums: changed file /usr/lib/firefox/browser/defaults/preferences/vendor-firefox.js (from firefox package)
debsums: changed file /usr/lib/firefox/distribution/distribution.ini (from firefox package)
debsums: changed file /usr/share/icons/HighContrast/16x16/places/start-here.png (from gnome-accessibility-themes package)
debsums: changed file /usr/share/icons/HighContrast/22x22/places/start-here.png (from gnome-accessibility-themes package)
debsums: changed file /usr/share/icons/HighContrast/24x24/places/start-here.png (from gnome-accessibility-themes package)
debsums: changed file /usr/share/icons/HighContrast/32x32/places/start-here.png (from gnome-accessibility-themes package)
debsums: changed file /usr/share/icons/HighContrast/48x48/places/start-here.png (from gnome-accessibility-themes package)
debsums: changed file /usr/share/icons/HighContrast/scalable/places/start-here.svg (from gnome-accessibility-themes package)
debsums: changed file /usr/share/icons/gnome/16x16/places/ubuntu-logo.png (from gnome-icon-theme-full package)
debsums: changed file /usr/share/icons/gnome/22x22/places/ubuntu-logo.png (from gnome-icon-theme-full package)
debsums: changed file /usr/share/icons/gnome/24x24/places/ubuntu-logo.png (from gnome-icon-theme-full package)
debsums: changed file /usr/share/icons/gnome/32x32/places/ubuntu-logo.png (from gnome-icon-theme-full package)
debsums: changed file /usr/share/icons/gnome/scalable/places/ubuntu-logo.svg (from gnome-icon-theme-full package)
debsums: changed file /etc/grub.d/10_linux (from grub-common package)
debsums: changed file /usr/share/applications/itweb-settings.desktop (from icedtea-netx-common package)
debsums: changed file /usr/share/applications/libreoffice-draw.desktop (from libreoffice-draw package)
debsums: changed file /usr/share/applications/libreoffice-math.desktop (from libreoffice-math package)
debsums: changed file /etc/sane.d/dll.conf (from libsane:amd64 package)
debsums: changed file /etc/mdm/mdm.conf (from mdm package)
debsums: changed file /etc/mime.types (from mime-support package)
debsums: changed file /usr/lib/linuxmint/mintSources/CountryInformation.pyc (from mintsources package)
debsums: changed file /usr/lib/linuxmint/mintUpdate/mintUpdate.py (from mintupdate package)
debsums: changed file /etc/NetworkManager/NetworkManager.conf (from network-manager package)
debsums: changed file /usr/share/applications/openjdk-7-policytool.desktop (from openjdk-7-jre:amd64 package)
debsums: missing file /etc/openvpn/update-resolv-conf (from openvpn package)
debsums: changed file /usr/share/icons/oxygen/16x16/places/start-here.png (from oxygen-icon-theme package)
debsums: changed file /usr/share/icons/oxygen/22x22/places/start-here.png (from oxygen-icon-theme package)
debsums: changed file /usr/share/icons/oxygen/32x32/places/start-here.png (from oxygen-icon-theme package)
debsums: changed file /usr/share/icons/oxygen/48x48/places/start-here.png (from oxygen-icon-theme package)
debsums: changed file /etc/init/plymouth-shutdown.conf (from plymouth package)
debsums: changed file /etc/init/plymouth-stop.conf (from plymouth package)
debsums: changed file /etc/sysctl.conf (from procps package)
debsums: changed file /etc/proxychains.conf (from proxychains package)
debsums: missing file /etc/apt/apt.conf.d/90rkhunter (from rkhunter package)
debsums: changed file /etc/rkhunter.conf (from rkhunter package)
debsums: changed file /etc/default/softflowd (from softflowd package)
debsums: changed file /usr/share/sounds/freedesktop/stereo/device-added.oga (from sound-theme-freedesktop package)
debsums: changed file /usr/share/sounds/freedesktop/stereo/device-removed.oga (from sound-theme-freedesktop package)
debsums: changed file /etc/ssmtp/revaliases (from ssmtp package)
debsums: changed file /usr/share/applications/steam.desktop (from steam-launcher package)
debsums: missing file /etc/apt/trusted.gpg.d/steam.gpg (from steam-launcher package)
debsums: missing file /etc/apt/sources.list.d/steam.list (from steam-launcher package)
debsums: changed file /usr/share/polkit-1/actions/com.ubuntu.pkexec.synaptic.policy (from synaptic package)
debsums: changed file /usr/share/synaptic/gtkbuilder/window_main.ui (from synaptic package)
debsums: changed file /usr/share/applications/vino-preferences.desktop (from vino package)
debsums: changed file /etc/xdg/autostart/vino-server.desktop (from vino package)
debsums: changed file /etc/xdg/autostart/user-dirs-update-gtk.desktop (from xdg-user-dirs-gtk package)
debsums: changed file /usr/share/applications/yelp.desktop (from yelp package)
// Things found in "/usr/bin/adb"
// NOTE: this file keeps changing. I have provided 3 pastebin examples below
$ sudo cat /usr/bin/adb
'starting interactive shell' Was highlighted in RED. And about 1/3 of the way down the file
Code:
ANDROID_BUILD_TOPTOPadb: bad TOP value "%s"
%s/out/target/product/%s-H* could not start server *
Usage: adb devices [-l]
host:%s%sList of devices attached connecthost:connect:%sdisconnecthost:disconnect:%shost:disconnect:shellhellstarting interactive shell
shell:%sread_and_dump() done.
At the end of the file:
// Next steps i took was to dig further into the "android-tools-adb" package
// I ran the following commands from 'linux01' and receivded the following outputs
// NOTE: The last command had the 'interactive shell' highlighted in RED again
Code:
linux01 dummy-packages $ apt-cache show android-tools-adb
Package: android-tools-adb
Priority: extra
Section: universe/devel
Installed-Size: 225
Maintainer: Ubuntu Developers <ubuntu-devel-discuss@lists.ubuntu.com>
Original-Maintainer: Laszlo Boszormenyi (GCS) <gcs@debian.hu>
Architecture: amd64
Source: android-tools
Version: 4.2.2+git20130218-3ubuntu23
Depends: libc6 (>= 2.15), libssl1.0.0 (>= 1.0.0), zlib1g (>= 1:1.1.4)
Filename: pool/universe/a/android-tools/android-tools-adb_4.2.2+git20130218-3ubuntu23_amd64.deb
Size: 65826
MD5sum: 0fa037e240396441f215c5decbf11018
SHA1: 9630e294c16561cc7e24c05903710b4f9d59829a
SHA256: 818e2465f2511fa0866d27ee55cceb158b6d41f0df13c08ee3736a525ed60052
Description-en: Android Debug Bridge CLI tool
Android Debug Bridge (adb) is a versatile tool lets you manage the
state of an emulator instance or Android-powered device. It is a
client-server program that includes three components:
.
A client, which runs on your development machine. You can invoke a
client from a shell by issuing an adb command. Other Android tools such
as the ADT plugin and DDMS also create adb clients.
.
A server, which runs as a background process on your development
machine. The server manages communication between the client and the
adb daemon running on an emulator or device.
.
A daemon, which runs as a background process on each emulator or device
instance.
Description-md5: 30c66d9c45ba5672c226dad4b01cee1f
Homepage: http://developer.android.com/guide/developing/tools/adb.html
Bugs: https://bugs.launchpad.net/ubuntu/+filebug
Origin: Ubuntu
linux01 dummy-packages $ apt-get download android-tools-adb
Get:1 http://archive.ubuntu.com/ubuntu/ trusty/universe android-tools-adb amd64 4.2.2+git20130218-3ubuntu23 [65.8 kB]
Fetched 65.8 kB in 0s (89.2 kB/s)
linux01 dummy-packages $ sha256sum android-tools-adb_4.2.2+git20130218-3ubuntu23_amd64.deb |grep 818e2465f2511fa0866d27ee55cceb158b6d41f0df13c08ee3736a525ed60052
818e2465f2511fa0866d27ee55cceb158b6d41f0df13c08ee3736a525ed60052 android-tools-adb_4.2.2+git20130218-3ubuntu23_amd64.deb
linux01 dummy-packages $ dpkg -X android-tools-adb_4.2.2+git20130218-3ubuntu23_amd64.deb .
./
./lib/
./lib/udev/
./lib/udev/rules.d/
./lib/udev/rules.d/70-android-tools-adb.rules
./usr/
./usr/bin/
./usr/bin/adb
./usr/share/
./usr/share/man/
./usr/share/man/man1/
./usr/share/man/man1/adb.1.gz
./usr/share/doc/
./usr/share/doc/android-tools-adb/
./usr/share/doc/android-tools-adb/changelog.Debian.gz
./usr/share/doc/android-tools-adb/copyright
./etc/
./etc/bash_completion.d/
./etc/bash_completion.d/adb
linux01 dummy-packages $ cat usr/bin/adb
<DID_NOT_REPORT_EVERYTHING_AT_THE_END_OF_THIS_FILE_LIKE_ABOVE>
linux01 dummy-packages $ cat usr/bin/adb |grep -ia -A 5 -B 5 "interactive shell"
from fork()execing pppd/data/local/tmp/%s/sdcard/tmp/%s--algo--iv--keywait-for-usbwait-for-localwait-for-anyforward:norebind:ANDROID_PRODUCT_OUTANDROID_SERIALANDROID_ADB_SERVER_PORTnodaemonpersist-padb: Couldn't get CWD: %s
adb: Couldn't assemble path
ANDROID_BUILD_TOPadb: bad TOP value "%s"
%s/out/target/product/%s-H* could not start server *
Usage: adb devices [-l]
host:%s%sList of devices attached host:connect:%sdisconnecthost:disconnect:%sshellstarting interactive shell
shell:%sread_and_dump() done.
- waiting for device -
wait-for-devicekill-server* server not running *
remountrebootreboot-bootloadertcpiproot%s:bugreportwait-for-failure: %s *
--
adb: Couldn't find a product dir based on "-p %s"; "%s" doesn't exist
adb: port number must be a positive number less than 65536. Got "%s"
adb: port number must be a positive number less than 65536. Got empty string.
Usage: adb connect <host>[:<port>]
Usage: adb disconnect [<host>[:<port>]]
interactive shell loop. buff=%s
about to read_and_dump(fd=%d)
interactive shell loop. return r=%d
shell:export ANDROID_LOG_TAGS="%s" ; exec logcatadb: -f passed with no filename
adb: unable to connect for backup
Now unlock your device and confirm the backup operation.Now unlock your device and confirm the restore operation.adb: could not resolve "-p %s"
The -k option uninstalls the application while retaining the data/cache.
At the moment, there is no way to remove the remaining data.
// That's about as far as I have gotten so far. So now for the questions...
1) Why is it everytime i am connecting to linux01 from linux02 i see 'Failed publickey for user01' in the /var/log/auth.log file?
2) From my experience and knowledge with linux so far (still learning though) this looks like '/usr/bin/adb' is infected. What are your thoughts?
3) After downloading the 'android-tools-adb' package directly from the repository on linux01 with the 'apt-get download' and 'dpkg -X' commands above. Why is it still showing the 'starting interactive shell' in RED highlight.
3.2) Is this something to be concerned about?
3.3) Is this potentially a vulnerability in the 'android-tools-adb' package?
4) After reviewing all the info, What are you're thoughts?
Thanks,
- slicktrail
