From owner-freebsd-security Tue Oct 8 17:20:53 2002 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 1C23637B401 for ; Tue, 8 Oct 2002 17:20:46 -0700 (PDT) Received: from lariat.org (lariat.org [63.229.157.2]) by mx1.FreeBSD.org (Postfix) with ESMTP id 43AC143E4A for ; Tue, 8 Oct 2002 17:20:45 -0700 (PDT) (envelope-from brett@lariat.org) Received: from mustang.lariat.org (IDENT:ppp1000.lariat.org@lariat.org [63.229.157.2]) by lariat.org (8.9.3/8.9.3) with ESMTP id RAA01027 for ; Tue, 8 Oct 2002 17:54:00 -0600 (MDT) X-message-flag: Warning! Use of Microsoft Outlook is dangerous and makes your system susceptible to Internet worms. Message-Id: <4.3.2.7.2.20021008174734.029e9e00@localhost> X-Sender: brett@localhost X-Mailer: QUALCOMM Windows Eudora Version 4.3.2 Date: Tue, 08 Oct 2002 17:53:55 -0600 To: security@FreeBSD.ORG From: Brett Glass Subject: I doubt that this affects FreeBSD, but FYI Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org I doubt that the following notice affects FreeBSD as distributed, since Greg is very conscientious about maintaining the code. But if you've downloaded and installed Sendmail 8.12.6, it's worth checking for the Trojan mentioned below. Like the one that was found in OpenSSH, this Trojan kicks in when you build the code rather than when you run it. --Brett Glass >Mailing-List: contact bugtraq-help@securityfocus.com; run by ezmlm >List-Id: >List-Post: >List-Help: >List-Unsubscribe: >List-Subscribe: >Delivered-To: mailing list bugtraq@securityfocus.com >Delivered-To: moderator for bugtraq@securityfocus.com >Date: Tue, 8 Oct 2002 17:15:04 -0600 (MDT) >From: Dave Ahmad >To: bugtraq@securityfocus.com >Subject: CERT Advisory CA-2002-28 Trojan Horse Sendmail Distribution (fwd) >X-Security: Warning! Do not open files attached to e-mail if you do not > have an up-to-date virus protection program or did not expect to > receive them. Even if the message is from someone you know, an > attachment can contain a virus sent without his or her knowledge. > > > >David Mirza Ahmad >Symantec >KeyID: 0x26005712 >Fingerprint: 8D 9A B1 33 82 3D B3 D0 40 EB AB F0 1E 67 C6 1A 26 00 57 12 >Return-Path: >Delivered-To: da@securityfocus.com >Received: (qmail 15236 invoked from network); 8 Oct 2002 23:05:08 -0000 >Received: from outgoing3.securityfocus.com (HELO outgoing.securityfocus.com) (205.206.231.27) > by mail.securityfocus.com with SMTP; 8 Oct 2002 23:05:08 -0000 >Received: from canaveral.indigo.cert.org (canaveral.indigo.cert.org [192.88.209.169]) > by outgoing.securityfocus.com (Postfix) with ESMTP > id 12E4BA30C0; Tue, 8 Oct 2002 17:02:08 -0600 (MDT) >Received: from localhost (lnchuser@localhost) > by canaveral.indigo.cert.org (8.11.6/8.11.6/1.14) with SMTP id g98LQnP01009; > Tue, 8 Oct 2002 17:26:49 -0400 >Date: Tue, 8 Oct 2002 17:26:49 -0400 >Message-Id: >From: CERT Advisory >To: cert-advisory@cert.org >Organization: CERT(R) Coordination Center - +1 412-268-7090 >List-Help: , >List-Subscribe: >List-Unsubscribe: >List-Post: NO (posting not allowed on this list) >List-Owner: >List-Archive: >Subject: CERT Advisory CA-2002-28 Trojan Horse Sendmail Distribution >Precedence: bulk > > > > >-----BEGIN PGP SIGNED MESSAGE----- > >CERT Advisory CA-2002-28 Trojan Horse Sendmail Distribution > > Original release date: October 08, 2002 > Last revised: -- > Source: CERT/CC > > A complete revision history is at the end of this file. > >Overview > > The CERT/CC has received confirmation that some copies of the source > code for the Sendmail package were modified by an intruder to contain > a Trojan horse. > > Sites that employ, redistribute, or mirror the Sendmail package should > immediately verify the integrity of their distribution. > >I. Description > > The CERT/CC has received confirmation that some copies of the source > code for the Sendmail package have been modified by an intruder to > contain a Trojan horse. > > The following files were modified to include the malicious code: > > sendmail.8.12.6.tar.Z > sendmail.8.12.6.tar.gz > > These files began to appear in downloads from the FTP server > ftp.sendmail.org on or around September 28, 2002. The Sendmail > development team disabled the compromised FTP server on October 6, > 2002 at approximately 22:15 PDT. It does not appear that copies > downloaded via HTTP contained the Trojan horse; however, the CERT/CC > encourages users who may have downloaded the source code via HTTP > during this time period to take the steps outlined in the Solution > section as a precautionary measure. > > The Trojan horse versions of Sendmail contain malicious code that is > run during the process of building the software. This code forks a > process that connects to a fixed remote server on 6667/tcp. This > forked process allows the intruder to open a shell running in the > context of the user who built the Sendmail software. There is no > evidence that the process is persistent after a reboot of the > compromised system. However, a subsequent build of the Trojan horse > Sendmail package will re-establish the backdoor process. > >II. Impact > > An intruder operating from the remote address specified in the > malicious code can gain unauthorized remote access to any host that > compiled a version of Sendmail from this Trojan horse version of the > source code. The level of access would be that of the user who > compiled the source code. > > It is important to understand that the compromise is to the system > that is used to build the Sendmail software and not to the systems > that run the Sendmail daemon. Because the compromised system creates a > tunnel to the intruder-controlled system, the intruder may have a path > through network access controls. > >III. Solution > >Obtain an authentic version Sendmail > > The primary distribution site for Sendmail is > > http://www.sendmail.org/ > > Sites that mirror the Sendmail source code are encouraged to verify > the integrity of their sources. > >Verify software authenticity > > We strongly encourage sites that recently downloaded a copy of the > Sendmail distribution to verify the authenticity of their > distribution, regardless of where it was obtained. Furthermore, we > encourage users to inspect any and all software that may have been > downloaded from the compromised site. Note that it is not sufficient > to rely on the timestamps or sizes of the file when trying to > determine whether or not you have a copy of the Trojan horse version. > >Verify PGP signatures > > The Sendmail source distribution is cryptographically signed with the > following PGP key: > > pub 1024R/678C0A03 2001-12-18 Sendmail Signing Key/2002 > > Key fingerprint = 7B 02 F4 AA FC C0 22 DA 47 3E 2A 9A 9B 35 22 45 > > The Trojan horse copy did not include an updated PGP signature, so > attempts to verify its integrity would have failed. The sendmail.org > staff has verified that the Trojan horse copies did indeed fail PGP > signature checks. > >Verify MD5 checksums > > In the absence of PGP, you can use the following MD5 checksums to > verify the integrity of your Sendmail source code distribution: > Correct versions: > > 73e18ea78b2386b774963c8472cbd309 sendmail.8.12.6.tar.gz > cebe3fa43731b315908f44889d9d2137 sendmail.8.12.6.tar.Z > 8b9c78122044f4e4744fc447eeafef34 sendmail.8.12.6.tar.sig > > As a matter of good security practice, the CERT/CC encourages users to > verify, whenever possible, the integrity of downloaded software. For > more information, see > > http://www.cert.org/incident_notes/IN-2001-06.html > >Employ egress filtering > > Egress filtering manages the flow of traffic as it leaves a network > under your administrative control. > > In the case of the Trojan horse Sendmail distribution, employing > egress filtering can help prevent systems on your network from > connecting to the remote intruder-controlled system. Blocking outbound > TCP connections to port 6667 from your network reduces the risk of > internal compromised machines communicating with the remote system. > >Build software as an unprivileged user > > Sites are encouraged to build software from source code as an > unprivileged, non-root user on the system. This can lessen the > immediate impact of Trojan horse software. Compiling software that > contains Trojan horses as the root user results in a compromise that > is much more difficult to reliably recover from than if the Trojan > horse is executed as a normal, unprivileged user on the system. > >Recovering from a system compromise > > If you believe a system under your administrative control has been > compromised, please follow the steps outlined in > > Steps for Recovering from a UNIX or NT System Compromise > >Reporting > > The CERT/CC is interested in receiving reports of this activity. If > machines under your administrative control are compromised, please > send mail to cert@cert.org with the following text included in the > subject line: "[CERT#33376]". > >Appendix A. - Vendor Information > > This appendix contains information provided by vendors for this > advisory. As vendors report new information to the CERT/CC, we will > update this section and note the changes in our revision history. If a > particular vendor is not listed below, we have not received their > comments. > _________________________________________________________________ > > The CERT Coordination Center thanks the staff at the Sendmail > Consortium for bringing this issue to our attention. > _________________________________________________________________ > > Feedback can be directed to the authors: Chad Dougherty, Marty > Lindner. > ______________________________________________________________________ > > This document is available from: > http://www.cert.org/advisories/CA-2002-28.html > ______________________________________________________________________ > >CERT/CC Contact Information > > Email: cert@cert.org > Phone: +1 412-268-7090 (24-hour hotline) > Fax: +1 412-268-6989 > Postal address: > CERT Coordination Center > Software Engineering Institute > Carnegie Mellon University > Pittsburgh PA 15213-3890 > U.S.A. > > CERT/CC personnel answer the hotline 08:00-17:00 EST(GMT-5) / > EDT(GMT-4) Monday through Friday; they are on call for emergencies > during other hours, on U.S. holidays, and on weekends. > >Using encryption > > We strongly urge you to encrypt sensitive information sent by email. > Our public PGP key is available from > http://www.cert.org/CERT_PGP.key > > If you prefer to use DES, please call the CERT hotline for more > information. > >Getting security information > > CERT publications and other security information are available from > our web site > http://www.cert.org/ > > To subscribe to the CERT mailing list for advisories and bulletins, > send email to majordomo@cert.org. Please include in the body of your > message > > subscribe cert-advisory > > * "CERT" and "CERT Coordination Center" are registered in the U.S. > Patent and Trademark Office. > ______________________________________________________________________ > > NO WARRANTY > Any material furnished by Carnegie Mellon University and the Software > Engineering Institute is furnished on an "as is" basis. Carnegie > Mellon University makes no warranties of any kind, either expressed or > implied as to any matter including, but not limited to, warranty of > fitness for a particular purpose or merchantability, exclusivity or > results obtained from use of the material. Carnegie Mellon University > does not make any warranty of any kind with respect to freedom from > patent, trademark, or copyright infringement. > _________________________________________________________________ > > Conditions for use, disclaimers, and sponsorship information > > Copyright 2002 Carnegie Mellon University. > > Revision History >October 08, 2002: Initial release > >-----BEGIN PGP SIGNATURE----- >Version: PGP 6.5.8 > >iQCVAwUBPaNCtmjtSoHZUTs5AQHXrgQA2CkSFrIQxV9dLy07J0ezZgT2RrfCDpXY >lPO0HhPe4kcbw4AMXs5LAjhA7DoW32PjAytRWOCNMu1FFDbl3eohf7OP2ZjtgYnD >kwpfjPKVejJDD1BX2O/+jb1rlUKOm2tIt7NK+w8HKOKUYZal/x3RI3AxnAAGLv8A >/DNWpyNYsGg= >=fL1h >-----END PGP SIGNATURE----- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message