80390 2002-10-09  01:29  /7 rader/ Dave Ahmad <da@securityfocus.com>
Importerad: 2002-10-09  01:29  av Brevbäraren
Extern mottagare: bugtraq@securityfocus.com
Mottagare: Bugtraq (import) <1848>
Ärende: CERT Advisory CA-2002-28 Trojan Horse Sendmail Distribution (fwd)
------------------------------------------------------------


David Mirza Ahmad Symantec KeyID: 0x26005712 Fingerprint: 8D 9A B1 33
82 3D B3 D0 40 EB  AB F0 1E 67 C6 1A 26 00 57 12
(80390) /Dave Ahmad <da@securityfocus.com>/(Ombruten)
Bilaga (message/rfc822) i text 80391
80391 2002-10-09  01:29  /265 rader/ Dave Ahmad <da@securityfocus.com>
Importerad: 2002-10-09  01:29  av Brevbäraren
Extern mottagare: bugtraq@securityfocus.com
Mottagare: Bugtraq (import) <1849>
Bilaga (text/plain) till text 80390
Ärende: Bilaga till: CERT Advisory CA-2002-28 Trojan Horse Sendmail Distribution (fwd)
------------------------------------------------------------
Return-Path: <cert-advisory-owner@cert.org>
Delivered-To: da@securityfocus.com
Received: (qmail 15236 invoked from network); 8 Oct 2002 23:05:08 -0000
Received: from outgoing3.securityfocus.com (HELO outgoing.securityfocus.com) (205.206.231.27)
  by mail.securityfocus.com with SMTP; 8 Oct 2002 23:05:08 -0000
Received: from canaveral.indigo.cert.org (canaveral.indigo.cert.org [192.88.209.169])
	by outgoing.securityfocus.com (Postfix) with ESMTP
	id 12E4BA30C0; Tue,  8 Oct 2002 17:02:08 -0600 (MDT)
Received: from localhost (lnchuser@localhost)
	by canaveral.indigo.cert.org (8.11.6/8.11.6/1.14) with SMTP id g98LQnP01009;
	Tue, 8 Oct 2002 17:26:49 -0400 Date: Tue, 8 Oct 2002 17:26:49
-0400 Message-Id: <CA-2002-28.1@cert.org> From: CERT Advisory
<cert-advisory@cert.org> To: cert-advisory@cert.org Organization:
CERT(R) Coordination Center - +1 412-268-7090 List-Help:
<http://www.cert.org/>, <mailto:Majordomo@cert.org?body=help>
List-Subscribe:
<mailto:Majordomo@cert.org?body=subscribe%20cert-advisory>
List-Unsubscribe:
<mailto:Majordomo@cert.org?body=unsubscribe%20cert-advisory>
List-Post: NO (posting not allowed on this list) List-Owner:
<mailto:cert-advisory-owner@cert.org> List-Archive:
<http://www.cert.org/> Subject: CERT Advisory CA-2002-28 Trojan Horse
Sendmail Distribution Precedence: bulk




-----BEGIN PGP SIGNED MESSAGE-----

CERT Advisory CA-2002-28 Trojan Horse Sendmail Distribution

   Original release date: October 08, 2002
   Last revised: --
   Source: CERT/CC

   A complete revision history is at the end of this file.

Overview

   The  CERT/CC  has received confirmation that some copies of the
   source code  for the Sendmail package were modified by an intruder
   to contain a Trojan horse.

   Sites that employ, redistribute, or mirror the Sendmail package
   should immediately verify the integrity of their distribution.

I. Description

   The  CERT/CC  has received confirmation that some copies of the
   source code  for  the  Sendmail  package have been modified by an
   intruder to contain a Trojan horse.

   The following files were modified to include the malicious code:

     sendmail.8.12.6.tar.Z
     sendmail.8.12.6.tar.gz

   These  files  began  to  appear  in  downloads  from  the  FTP
   server ftp.sendmail.org  on  or  around  September  28,  2002.
   The  Sendmail development  team  disabled  the  compromised FTP
   server on October 6, 2002  at  approximately  22:15  PDT.  It
   does  not appear that copies downloaded  via  HTTP contained the
   Trojan horse; however, the CERT/CC encourages  users  who  may
   have  downloaded the source code via HTTP during  this  time
   period  to take the steps outlined in the Solution section as a
   precautionary measure.

   The  Trojan  horse versions of Sendmail contain malicious code
   that is run  during  the  process  of building the software. This
   code forks a process  that  connects  to  a  fixed  remote server
   on 6667/tcp. This forked  process  allows  the  intruder  to open
   a shell running in the context  of  the  user  who  built  the
   Sendmail software. There is no evidence  that  the  process  is
   persistent  after  a  reboot  of the compromised  system.
   However,  a subsequent build of the Trojan horse Sendmail package
   will re-establish the backdoor process.

II. Impact

   An  intruder  operating  from  the  remote  address  specified  in
   the malicious  code  can  gain unauthorized remote access to any
   host that compiled  a  version of Sendmail from this Trojan horse
   version of the source  code.  The  level  of  access  would  be
   that of the user who compiled the source code.

   It  is  important  to  understand that the compromise is to the
   system that  is  used  to  build the Sendmail software and not to
   the systems that run the Sendmail daemon. Because the compromised
   system creates a tunnel to the intruder-controlled system, the
   intruder may have a path through network access controls.

III. Solution

Obtain an authentic version Sendmail

   The primary distribution site for Sendmail is

          http://www.sendmail.org/

   Sites  that  mirror  the Sendmail source code are encouraged to
   verify the integrity of their sources.

Verify software authenticity

   We  strongly  encourage  sites  that recently downloaded a copy of the
   Sendmail   distribution   to   verify   the   authenticity   of  their
   distribution,  regardless  of  where  it was obtained. Furthermore, we
   encourage  users  to  inspect  any and all software that may have been
   downloaded  from  the compromised site. Note that it is not sufficient
   to  rely  on  the  timestamps  or  sizes  of  the  file when trying to
   determine whether or not you have a copy of the Trojan horse version.

Verify PGP signatures

   The  Sendmail source distribution is cryptographically signed with
   the following PGP key:

     pub    1024R/678C0A03    2001-12-18   Sendmail   Signing   Key/2002
     <sendmail@Sendmail.ORG>
     Key fingerprint = 7B 02 F4 AA FC C0 22 DA 47 3E 2A 9A 9B 35 22 45

   The  Trojan  horse  copy  did not include an updated PGP
   signature, so attempts  to  verify its integrity would have
   failed. The sendmail.org staff  has  verified  that the Trojan
   horse copies did indeed fail PGP signature checks.

Verify MD5 checksums

   In  the  absence  of  PGP,  you can use the following MD5
   checksums to verify the integrity of your Sendmail source code
   distribution: Correct versions:

     73e18ea78b2386b774963c8472cbd309 sendmail.8.12.6.tar.gz
     cebe3fa43731b315908f44889d9d2137 sendmail.8.12.6.tar.Z
     8b9c78122044f4e4744fc447eeafef34 sendmail.8.12.6.tar.sig

   As a matter of good security practice, the CERT/CC encourages
   users to verify,  whenever  possible, the integrity of downloaded
   software. For more information, see

          http://www.cert.org/incident_notes/IN-2001-06.html

Employ egress filtering

   Egress  filtering  manages  the flow of traffic as it leaves a
   network under your administrative control.

   In  the  case  of  the  Trojan  horse Sendmail distribution,
   employing egress  filtering  can  help  prevent  systems  on  your
   network from connecting to the remote intruder-controlled
   system. Blocking outbound TCP  connections  to  port  6667 from
   your network reduces the risk of internal compromised machines
   communicating with the remote system.

Build software as an unprivileged user

   Sites  are  encouraged  to  build  software  from  source  code
   as an unprivileged,  non-root  user  on  the  system.  This  can
   lessen the immediate  impact  of  Trojan  horse
   software. Compiling software that contains  Trojan  horses as the
   root user results in a compromise that is  much  more  difficult
   to reliably recover from than if the Trojan horse is executed as a
   normal, unprivileged user on the system.

Recovering from a system compromise

   If  you  believe  a  system under your administrative control has
   been compromised, please follow the steps outlined in

          Steps for Recovering from a UNIX or NT System Compromise

Reporting

   The  CERT/CC  is  interested in receiving reports of this
   activity. If machines  under  your  administrative  control are
   compromised, please send  mail  to  cert@cert.org  with the
   following text included in the subject line: "[CERT#33376]".

Appendix A. - Vendor Information

   This  appendix  contains  information  provided  by  vendors  for this
   advisory.  As  vendors  report new information to the CERT/CC, we will
   update this section and note the changes in our revision history. If a
   particular  vendor  is  not  listed  below, we have not received their
   comments.
     _________________________________________________________________

   The  CERT  Coordination  Center  thanks  the  staff  at  the  Sendmail
   Consortium for bringing this issue to our attention.
     _________________________________________________________________

   Feedback  can  be  directed  to  the  authors:  Chad  Dougherty,
   Marty Lindner.
   ______________________________________________________________________

   This document is available from:
   http://www.cert.org/advisories/CA-2002-28.html
   ______________________________________________________________________

CERT/CC Contact Information

   Email: cert@cert.org
          Phone: +1 412-268-7090 (24-hour hotline)
          Fax: +1 412-268-6989
          Postal address:
          CERT Coordination Center
          Software Engineering Institute
          Carnegie Mellon University
          Pittsburgh PA 15213-3890
          U.S.A.

   CERT/CC   personnel   answer  the  hotline  08:00-17:00  EST(GMT-5)  /
   EDT(GMT-4)  Monday  through  Friday;  they are on call for emergencies
   during other hours, on U.S. holidays, and on weekends.

Using encryption

   We  strongly  urge you to encrypt sensitive information sent by
   email.  Our public PGP key is available from
   http://www.cert.org/CERT_PGP.key

   If  you  prefer  to  use  DES,  please  call the CERT hotline for
   more information.

Getting security information

   CERT  publications  and  other security information are available
   from our web site http://www.cert.org/

   To  subscribe  to  the CERT mailing list for advisories and
   bulletins, send  email  to majordomo@cert.org. Please include in
   the body of your message

   subscribe cert-advisory

   *  "CERT"  and  "CERT  Coordination Center" are registered in the
   U.S.  Patent and Trademark Office.
   ______________________________________________________________________

   NO WARRANTY
   Any  material furnished by Carnegie Mellon University and the Software
   Engineering  Institute  is  furnished  on  an  "as is" basis. Carnegie
   Mellon University makes no warranties of any kind, either expressed or
   implied  as  to  any matter including, but not limited to, warranty of
   fitness  for  a  particular purpose or merchantability, exclusivity or
   results  obtained from use of the material. Carnegie Mellon University
   does  not  make  any warranty of any kind with respect to freedom from
   patent, trademark, or copyright infringement.
     _________________________________________________________________

   Conditions for use, disclaimers, and sponsorship information

   Copyright 2002 Carnegie Mellon University.

   Revision History
October 08, 2002: Initial release

-----BEGIN PGP SIGNATURE-----
Version: PGP 6.5.8

iQCVAwUBPaNCtmjtSoHZUTs5AQHXrgQA2CkSFrIQxV9dLy07J0ezZgT2RrfCDpXY
lPO0HhPe4kcbw4AMXs5LAjhA7DoW32PjAytRWOCNMu1FFDbl3eohf7OP2ZjtgYnD
kwpfjPKVejJDD1BX2O/+jb1rlUKOm2tIt7NK+w8HKOKUYZal/x3RI3AxnAAGLv8A
/DNWpyNYsGg=
=fL1h
-----END PGP SIGNATURE-----
(80391) /Dave Ahmad <da@securityfocus.com>/(Ombruten)
80495 2002-10-09  22:32  /42 rader/ netmask <netmask@enZotech.net>
Importerad: 2002-10-09  22:32  av Brevbäraren
Extern mottagare: Dave Ahmad <da@securityfocus.com>
Mottagare: Bugtraq (import) <1867>
Ärende: Re: CERT Advisory CA-2002-28 Trojan Horse Sendmail
------------------------------------------------------------

I contaced Eli Klein <elijah@firstlink.com> earlier today regarding
this.  It would appear he was unaware (Or says this) that his server
was used in this attack (He runs spatula.aclue.com, the server that
was used in the back door).

I was kind of amazed CERT or Sendmail or anyone for that matter
hadn't tried to contact him. It would be apparent that the interest
in actually figuring out who hacked Sendmail's ftp site, is little to
none. Unless of course they were just assuming someone was trying to
frame Mr. Klein :P

Anyhow, I have made the backdoor'd sendmail code available at
http://www.enzotech.net/files/sm.backdoor.patch  and the base64
portion is decoded at
http://www.enzotech.net/files/sm.backdoor.base64.txt

The service running on spatula.aclue.com on port 6667 has since been
shut down, but apparentely not by the Administrator.

It would be nice if Sendmail could provide stats on how many people
were affected, and if the maintainer of that box can provide proper
forensics to determine what activity went on.


netmask of enZo
http://www.enZotech.net

> Dave Ahmad (da@securityfocus.com) composed today:

>
>
> David Mirza Ahmad
> Symantec
> KeyID: 0x26005712
> Fingerprint: 8D 9A B1 33 82 3D B3 D0 40 EB  AB F0 1E 67 C6 1A 26 00 57 12
>
(80495) /netmask <netmask@enZotech.net>/--(Ombruten)