[ Date Index ][
Thread Index ]
[ <= Previous by date /
thread ]
[ Next by date /
thread => ]
Found this:
OPEN SORES: SENDMAIL SOURCE CODE GETS INFECTED
CERT reported on October 8 that the official source code distributions
for the ubiquitous Sendmail mail server had been contaminated by an
intruder. The interloper planted a Trojan horse in the Sendmail source
code so that users compiling the code would compromise their systems.
The following two source files were infected:
sendmail.8.12.6.tar.Z
sendmail.8.12.6.tar.gz
The Trojan code runs only during the "make" process, so the resulting
Sendmail code is not contaminated. However, the Trojan code connects
to a fixed remote server on TCP port 6667, opening a command shell
giving the Trojan's author backdoor access to the user profile
compiling the Sendmail code. If the code is compiled under the
authority of the Unix root user (an ill-advised but nevertheless
frequent practice), then the backdoor has root-level control of the
infected machine.
The files resided on the Sendmail source repository server,
ftp.sendmail.org, and were infected on or about September 28, 2002.
Sendmail's developers noticed the problem and shut down the affected
server on October 6, so there was a nine-day window of distribution
from Sendmail's authoritative master copies.
Unfortunately, in that nine days, hundreds, if not thousands, of
people downloaded the same contaminated files from mirror sites that
obtained their copies from Sendmail's official servers.
Sendmail's developers included a PGP signature on the source file, and
the interloper failed to (and likely could not) update this signature.
Any Sendmail user verifying this signature would have detected the
fraudulent source code. Amazingly, nobody did verify the signature
during the nine days.
CERT has some good recommendations that can help head off these open-
source security exposures. First, always verify source code signatures
when they are present before compiling any source code obtained from
an outside source. Second, employ egress filtering on your network to
block unknown outbound protocols. Third, always compile software as an
unprivileged user, rather than as the root user. It is also a good idea
to avoid software that must execute under the privileged user profile.
For complete details on this incident, as well as a handy tutorial on
verifying digital signatures, refer to the CERT advisory:
http://www.cert.org/advisories/CA-2002-28.html
--
The Mailing List for the Devon & Cornwall LUG
Mail majordomo@xxxxxxxxxxxx with "unsubscribe list" in the
message body to unsubscribe.