-----BEGIN
PGP SIGNED MESSAGE-----
CERT Advisory
CA-2002-28 Trojan Horse Sendmail Distribution
Original
release date: October 08, 2002
Last revised: --
Source: CERT/CC
A complete
revision history is at the end of this file.
Overview
The CERT/CC
has received confirmation that some copies of the source
code for the Sendmail package were modified by an intruder to contain
a Trojan horse.
Sites
that employ, redistribute, or mirror the Sendmail package should
immediately verify the integrity of their distribution.
I. Description
The CERT/CC
has received confirmation that some copies of the source
code for the Sendmail package have been modified by an intruder to
contain a Trojan horse.
The following
files were modified to include the malicious code:
sendmail.8.12.6.tar.Z
sendmail.8.12.6.tar.gz
These
files began to appear in downloads from the FTP server
ftp.sendmail.org on or around September 28, 2002. The Sendmail
development team disabled the compromised FTP server on October 6,
2002 at approximately 22:15 PDT. It does not appear that copies
downloaded via HTTP contained the Trojan horse; however, the CERT/CC
encourages users who may have downloaded the source code via HTTP
during this time period to take the steps outlined in the Solution
section as a precautionary measure.
The Trojan
horse versions of Sendmail contain malicious code that is
run during the process of building the software. This code forks a
process that connects to a fixed remote server on 6667/tcp. This
forked process allows the intruder to open a shell running in the
context of the user who built the Sendmail software. There is no
evidence that the process is persistent after a reboot of the
compromised system. However, a subsequent build of the Trojan horse
Sendmail package will re-establish the backdoor process.
II. Impact
An intruder
operating from the remote address specified in the
malicious code can gain unauthorized remote access to any host that
compiled a version of Sendmail from this Trojan horse version of the
source code. The level of access would be that of the user who
compiled the source code.
It is
important to understand that the compromise is to the system
that is used to build the Sendmail software and not to the systems
that run the Sendmail daemon. Because the compromised system creates
a
tunnel to the intruder-controlled system, the intruder may have a path
through network access controls.
III. Solution
Obtain
an authentic version Sendmail
The primary
distribution site for Sendmail is
http://www.sendmail.org/
Sites
that mirror the Sendmail source code are encouraged to verify
the integrity of their sources.
Verify
software authenticity
We strongly
encourage sites that recently downloaded a copy of the
Sendmail distribution to verify the authenticity of their
distribution, regardless of where it was obtained. Furthermore, we
encourage users to inspect any and all software that may have been
downloaded from the compromised site. Note that it is not sufficient
to rely on the timestamps or sizes of the file when trying to
determine whether or not you have a copy of the Trojan horse version.
Verify
PGP signatures
The Sendmail
source distribution is cryptographically signed with the
following PGP key:
pub 1024R/678C0A03
2001-12-18 Sendmail Signing Key/2002
<sendmail@Sendmail.ORG>
Key fingerprint = 7B 02 F4 AA FC C0 22 DA 47 3E 2A 9A 9B 35 22 45
The Trojan
horse copy did not include an updated PGP signature, so
attempts to verify its integrity would have failed. The sendmail.org
staff has verified that the Trojan horse copies did indeed fail PGP
signature checks.
Verify
MD5 checksums
In the
absence of PGP, you can use the following MD5 checksums to
verify the integrity of your Sendmail source code distribution:
Correct versions:
73e18ea78b2386b774963c8472cbd309
sendmail.8.12.6.tar.gz
cebe3fa43731b315908f44889d9d2137 sendmail.8.12.6.tar.Z
8b9c78122044f4e4744fc447eeafef34 sendmail.8.12.6.tar.sig
As a matter
of good security practice, the CERT/CC encourages users to
verify, whenever possible, the integrity of downloaded software. For
more information, see
http://www.cert.org/incident_notes/IN-2001-06.html
Employ
egress filtering
Egress
filtering manages the flow of traffic as it leaves a network
under your administrative control.
In the
case of the Trojan horse Sendmail distribution, employing
egress filtering can help prevent systems on your network from
connecting to the remote intruder-controlled system. Blocking outbound
TCP connections to port 6667 from your network reduces the risk of
internal compromised machines communicating with the remote system.
Build software
as an unprivileged user
Sites
are encouraged to build software from source code as an
unprivileged, non-root user on the system. This can lessen the
immediate impact of Trojan horse software. Compiling software that
contains Trojan horses as the root user results in a compromise that
is much more difficult to reliably recover from than if the Trojan
horse is executed as a normal, unprivileged user on the system.
Recovering
from a system compromise
If you
believe a system under your administrative control has been
compromised, please follow the steps outlined in
Steps
for Recovering from a UNIX or NT System Compromise
Reporting
The CERT/CC
is interested in receiving reports of this activity. If
machines under your administrative control are compromised, please
send mail to cert@cert.org with the following text included in the
subject line: "[CERT#33376]".
Appendix
A. - Vendor Information
This appendix
contains information provided by vendors for this
advisory. As vendors report new information to the CERT/CC, we will
update this section and note the changes in our revision history. If
a
particular vendor is not listed below, we have not received their
comments.
_________________________________________________________________
The CERT
Coordination Center thanks the staff at the Sendmail
Consortium for bringing this issue to our attention.
_________________________________________________________________
Feedback
can be directed to the authors: Chad Dougherty, Marty
Lindner.
______________________________________________________________________
This document
is available from:
http://www.cert.org/advisories/CA-2002-28.html
______________________________________________________________________
CERT/CC
Contact Information
Email:
cert@cert.org
Phone: +1 412-268-7090 (24-hour hotline)
Fax: +1 412-268-6989
Postal address:
CERT Coordination Center
Software Engineering Institute
Carnegie Mellon University
Pittsburgh PA 15213-3890
U.S.A.
CERT/CC
personnel answer the hotline 08:00-17:00 EST(GMT-5) /
EDT(GMT-4) Monday through Friday; they are on call for emergencies
during other hours, on U.S. holidays, and on weekends.
Using encryption
We strongly
urge you to encrypt sensitive information sent by email.
Our public PGP key is available from
http://www.cert.org/CERT_PGP.key
If you
prefer to use DES, please call the CERT hotline for more
information.
Getting
security information
CERT publications
and other security information are available from
our web site
http://www.cert.org/
To subscribe
to the CERT mailing list for advisories and bulletins,
send email to majordomo@cert.org. Please include in the body of your
message
subscribe
cert-advisory
* "CERT"
and "CERT Coordination Center" are registered in the U.S.
Patent and Trademark Office.
______________________________________________________________________
NO WARRANTY
Any material furnished by Carnegie Mellon University and the Software
Engineering Institute is furnished on an "as is" basis. Carnegie
Mellon University makes no warranties of any kind, either expressed
or
implied as to any matter including, but not limited to, warranty of
fitness for a particular purpose or merchantability, exclusivity or
results obtained from use of the material. Carnegie Mellon University
does not make any warranty of any kind with respect to freedom from
patent, trademark, or copyright infringement.
_________________________________________________________________
Conditions
for use, disclaimers, and sponsorship information
Copyright
2002 Carnegie Mellon University.
Revision
History
October 08, 2002: Initial release
-----BEGIN
PGP SIGNATURE-----
Version: PGP 6.5.8
iQCVAwUBPaNCtmjtSoHZUTs5AQHXrgQA2CkSFrIQxV9dLy07J0ezZgT2RrfCDpXY
lPO0HhPe4kcbw4AMXs5LAjhA7DoW32PjAytRWOCNMu1FFDbl3eohf7OP2ZjtgYnD
kwpfjPKVejJDD1BX2O/+jb1rlUKOm2tIt7NK+w8HKOKUYZal/x3RI3AxnAAGLv8A
/DNWpyNYsGg=
=fL1h
-----END PGP SIGNATURE-----
