D&C Lug - Home Page
Devon & Cornwall Linux Users' Group

[ Date Index ][ Thread Index ]
[ <= Previous by date / thread ] [ Next by date / thread => ]

[LUG] sendmail WARNING



Found this:

OPEN SORES: SENDMAIL SOURCE CODE GETS INFECTED
CERT reported on October 8 that the official source code distributions 
for the ubiquitous Sendmail mail server had been contaminated by an 
intruder. The interloper planted a Trojan horse in the Sendmail source 
code so that users compiling the code would compromise their systems. 
The following two source files were infected:

     sendmail.8.12.6.tar.Z
     sendmail.8.12.6.tar.gz

The Trojan code runs only during the "make" process, so the resulting 
Sendmail code is not contaminated. However, the Trojan code connects 
to a fixed remote server on TCP port 6667, opening a command shell 
giving the Trojan's author backdoor access to the user profile 
compiling the Sendmail code. If the code is compiled under the 
authority of the Unix root user (an ill-advised but nevertheless 
frequent practice), then the backdoor has root-level control of the 
infected machine. 

The files resided on the Sendmail source repository server, 
ftp.sendmail.org, and were infected on or about September 28, 2002. 
Sendmail's developers noticed the problem and shut down the affected 
server on October 6, so there was a nine-day window of distribution 
from Sendmail's authoritative master copies. 

Unfortunately, in that nine days, hundreds, if not thousands, of 
people downloaded the same contaminated files from mirror sites that 
obtained their copies from Sendmail's official servers.  

Sendmail's developers included a PGP signature on the source file, and 
the interloper failed to (and likely could not) update this signature. 
Any Sendmail user verifying this signature would have detected the 
fraudulent source code. Amazingly, nobody did verify the signature 
during the nine days. 

CERT has some good recommendations that can help head off these open- 
source security exposures. First, always verify source code signatures 
when they are present before compiling any source code obtained from 
an outside source. Second, employ egress filtering on your network to 
block unknown outbound protocols. Third, always compile software as an 
unprivileged user, rather than as the root user. It is also a good idea 
to avoid software that must execute under the privileged user profile.

For complete details on this incident, as well as a handy tutorial on 
verifying digital signatures, refer to the CERT advisory:

http://www.cert.org/advisories/CA-2002-28.html

--
The Mailing List for the Devon & Cornwall LUG
Mail majordomo@xxxxxxxxxxxx with "unsubscribe list" in the
message body to unsubscribe.


Lynx friendly