[windows2000] Re: FW: CERT Advisory CA-2002-28 Trojan Horse Sendmail Distribution
- From: "Joe Shonk" <JShonk@xxxxxxxxxxxxxx>
- To: <windows2000@xxxxxxxxxxxxx>
- Date: Tue, 8 Oct 2002 17:33:41 -0700
Amazing how the real world can respond quickly to an issue. And =
Microsoft wants to standardize on 30 days.
Joe
-----Original Message-----
From: Jim Kenzig http://thethin.net [mailto:jimkenz@xxxxxxxxxxxxxx]
Sent: Tuesday, October 08, 2002 5:02 PM
To: thin@xxxxxxxxxxxxx; windows2000@xxxxxxxxxxxxx
Subject: [windows2000] FW: CERT Advisory CA-2002-28 Trojan Horse
Sendmail Distribution
I know that this is Linux /Unix related but just the same Take Heed!
JK
-----Original Message-----
From: CERT Advisory [mailto:cert-advisory@xxxxxxxx]
Sent: Tuesday, October 08, 2002 5:40 PM
To: cert-advisory@xxxxxxxx
Subject: CERT Advisory CA-2002-28 Trojan Horse Sendmail Distribution
-----BEGIN PGP SIGNED MESSAGE-----
CERT Advisory CA-2002-28 Trojan Horse Sendmail Distribution
Original release date: October 08, 2002
Last revised: --
Source: CERT/CC
A complete revision history is at the end of this file.
Overview
The CERT/CC has received confirmation that some copies of the =
source
code for the Sendmail package were modified by an intruder to =
contain
a Trojan horse.
Sites that employ, redistribute, or mirror the Sendmail package =
should
immediately verify the integrity of their distribution.
I. Description
The CERT/CC has received confirmation that some copies of the =
source
code for the Sendmail package have been modified by an intruder =
to
contain a Trojan horse.
The following files were modified to include the malicious code:
sendmail.8.12.6.tar.Z
sendmail.8.12.6.tar.gz
These files began to appear in downloads from the FTP =
server
ftp.sendmail.org on or around September 28, 2002. The =
Sendmail
development team disabled the compromised FTP server on October =
6,
2002 at approximately 22:15 PDT. It does not appear that =
copies
downloaded via HTTP contained the Trojan horse; however, the =
CERT/CC
encourages users who may have downloaded the source code via =
HTTP
during this time period to take the steps outlined in the =
Solution
section as a precautionary measure.
The Trojan horse versions of Sendmail contain malicious code that =
is
run during the process of building the software. This code forks =
a
process that connects to a fixed remote server on 6667/tcp. =
This
forked process allows the intruder to open a shell running in =
the
context of the user who built the Sendmail software. There is =
no
evidence that the process is persistent after a reboot of =
the
compromised system. However, a subsequent build of the Trojan =
horse
Sendmail package will re-establish the backdoor process.
II. Impact
An intruder operating from the remote address specified in =
the
malicious code can gain unauthorized remote access to any host =
that
compiled a version of Sendmail from this Trojan horse version of =
the
source code. The level of access would be that of the user =
who
compiled the source code.
It is important to understand that the compromise is to the =
system
that is used to build the Sendmail software and not to the =
systems
that run the Sendmail daemon. Because the compromised system creates =
a
tunnel to the intruder-controlled system, the intruder may have a =
path
through network access controls.
III. Solution
Obtain an authentic version Sendmail
The primary distribution site for Sendmail is
http://www.sendmail.org/
Sites that mirror the Sendmail source code are encouraged to =
verify
the integrity of their sources.
Verify software authenticity
We strongly encourage sites that recently downloaded a copy of =
the
Sendmail distribution to verify the authenticity of =
their
distribution, regardless of where it was obtained. Furthermore, =
we
encourage users to inspect any and all software that may have =
been
downloaded from the compromised site. Note that it is not =
sufficient
to rely on the timestamps or sizes of the file when trying =
to
determine whether or not you have a copy of the Trojan horse version.
Verify PGP signatures
The Sendmail source distribution is cryptographically signed with =
the
following PGP key:
pub 1024R/678C0A03 2001-12-18 Sendmail Signing Key/2002
<sendmail@xxxxxxxxxxxx>
Key fingerprint =3D 7B 02 F4 AA FC C0 22 DA 47 3E 2A 9A 9B 35 22 45
The Trojan horse copy did not include an updated PGP signature, =
so
attempts to verify its integrity would have failed. The =
sendmail.org
staff has verified that the Trojan horse copies did indeed fail =
PGP
signature checks.
Verify MD5 checksums
In the absence of PGP, you can use the following MD5 checksums =
to
verify the integrity of your Sendmail source code distribution:
Correct versions:
73e18ea78b2386b774963c8472cbd309 sendmail.8.12.6.tar.gz
cebe3fa43731b315908f44889d9d2137 sendmail.8.12.6.tar.Z
8b9c78122044f4e4744fc447eeafef34 sendmail.8.12.6.tar.sig
As a matter of good security practice, the CERT/CC encourages users =
to
verify, whenever possible, the integrity of downloaded software. =
For
more information, see
http://www.cert.org/incident_notes/IN-2001-06.html
Employ egress filtering
Egress filtering manages the flow of traffic as it leaves a =
network
under your administrative control.
In the case of the Trojan horse Sendmail distribution, =
employing
egress filtering can help prevent systems on your network =
from
connecting to the remote intruder-controlled system. Blocking =
outbound
TCP connections to port 6667 from your network reduces the risk =
of
internal compromised machines communicating with the remote system.
Build software as an unprivileged user
Sites are encouraged to build software from source code as =
an
unprivileged, non-root user on the system. This can lessen =
the
immediate impact of Trojan horse software. Compiling software =
that
contains Trojan horses as the root user results in a compromise =
that
is much more difficult to reliably recover from than if the =
Trojan
horse is executed as a normal, unprivileged user on the system.
Recovering from a system compromise
If you believe a system under your administrative control has =
been
compromised, please follow the steps outlined in
Steps for Recovering from a UNIX or NT System Compromise
Reporting
The CERT/CC is interested in receiving reports of this activity. =
If
machines under your administrative control are compromised, =
please
send mail to cert@xxxxxxxx with the following text included in =
the
subject line: "[CERT#33376]".
Appendix A. - Vendor Information
This appendix contains information provided by vendors for =
this
advisory. As vendors report new information to the CERT/CC, we =
will
update this section and note the changes in our revision history. If =
a
particular vendor is not listed below, we have not received =
their
comments.
_________________________________________________________________
The CERT Coordination Center thanks the staff at the =
Sendmail
Consortium for bringing this issue to our attention.
_________________________________________________________________
Feedback can be directed to the authors: Chad Dougherty, =
Marty
Lindner.
=
______________________________________________________________________
This document is available from:
http://www.cert.org/advisories/CA-2002-28.html
=
______________________________________________________________________
CERT/CC Contact Information
Email: cert@xxxxxxxx
Phone: +1 412-268-7090 (24-hour hotline)
Fax: +1 412-268-6989
Postal address:
CERT Coordination Center
Software Engineering Institute
Carnegie Mellon University
Pittsburgh PA 15213-3890
U.S.A.
CERT/CC personnel answer the hotline 08:00-17:00 EST(GMT-5) =
/
EDT(GMT-4) Monday through Friday; they are on call for =
emergencies
during other hours, on U.S. holidays, and on weekends.
Using encryption
We strongly urge you to encrypt sensitive information sent by =
email.
Our public PGP key is available from
http://www.cert.org/CERT_PGP.key
If you prefer to use DES, please call the CERT hotline for =
more
information.
Getting security information
CERT publications and other security information are available =
from
our web site
http://www.cert.org/
To subscribe to the CERT mailing list for advisories and =
bulletins,
send email to majordomo@xxxxxxxxx Please include in the body of =
your
message
subscribe cert-advisory
* "CERT" and "CERT Coordination Center" are registered in the =
U.S.
Patent and Trademark Office.
=
______________________________________________________________________
NO WARRANTY
Any material furnished by Carnegie Mellon University and the =
Software
Engineering Institute is furnished on an "as is" basis. =
Carnegie
Mellon University makes no warranties of any kind, either expressed =
or
implied as to any matter including, but not limited to, warranty =
of
fitness for a particular purpose or merchantability, exclusivity =
or
results obtained from use of the material. Carnegie Mellon =
University
does not make any warranty of any kind with respect to freedom =
from
patent, trademark, or copyright infringement.
_________________________________________________________________
Conditions for use, disclaimers, and sponsorship information
Copyright 2002 Carnegie Mellon University.
Revision History
October 08, 2002: Initial release
-----BEGIN PGP SIGNATURE-----
Version: PGP 6.5.8
iQCVAwUBPaNCtmjtSoHZUTs5AQHXrgQA2CkSFrIQxV9dLy07J0ezZgT2RrfCDpXY
lPO0HhPe4kcbw4AMXs5LAjhA7DoW32PjAytRWOCNMu1FFDbl3eohf7OP2ZjtgYnD
kwpfjPKVejJDD1BX2O/+jb1rlUKOm2tIt7NK+w8HKOKUYZal/x3RI3AxnAAGLv8A
/DNWpyNYsGg=3D
=3DfL1h
-----END PGP SIGNATURE-----
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D
To Unsubscribe, set digest or vacation
mode or view archives use the below link.
http://thethin.net/win2000list.cfm
==================================
To Unsubscribe, set digest or vacation
mode or view archives use the below link.
http://thethin.net/win2000list.cfm
Other related posts:
