Date: Thu, 28 Mar 2024 06:10:22 -0400 (EDT) Message-ID: <157424828.457.1711620622984@windcrest.sei.cmu.edu> Subject: Exported From Confluence MIME-Version: 1.0 Content-Type: multipart/related; boundary="----=_Part_456_1311445802.1711620622983" ------=_Part_456_1311445802.1711620622983 Content-Type: text/html; charset=UTF-8 Content-Transfer-Encoding: quoted-printable Content-Location: file:///C:/exported.html
A complete revision history is at the end of this file.
The CERT/CC has received confirmation that some copies of the source cod= e for the Sendmail package were modified by an intruder to contain a Trojan= horse.
Sites that employ, redistribute, or mirror the Sendmail package should i= mmediately verify the integrity of their distribution.
The CERT/CC has received confirmation that some copies of the source cod= e for the Sendmail package have been modified by an intruder to contain a T= rojan horse.
The following files were modified to include the malicious code:
sendmail.8.12.6.tar.Z
sendmail.8.12.6.tar.gz
These files began to appear in downloads from the FTP server ftp.sendmai= l.org on or around September 28, 2002. The Sendmail development team disabl= ed the compromised FTP server on October 6, 2002 at approximately 22:15 PDT= . It does not appear that copies downloaded via HTTP contained the Trojan h= orse; however, the CERT/CC encourages users who may have downloaded the sou= rce code via HTTP during this time period to take the steps outlined in the= Solution section as a precautionary measure.
The Trojan horse versions of Sendmail contain malicious code that is run= during the process of building the software. This code forks a process tha= t connects to a fixed remote server on 6667/tcp. This forked process allows= the intruder to open a shell running in the context of the user who built = the Sendmail software. There is no evidence that the process is persistent = after a reboot of the compromised system. However, a subsequent build of th= e Trojan horse Sendmail package will re-establish the backdoor process.
An intruder operating from the remote address specified in the malicious= code can gain unauthorized remote access to any host that compiled a versi= on of Sendmail from this Trojan horse version of the source code. The level= of access would be that of the user who compiled the source code.
It is important to understand that the compromise is to the system that = is used to build the Sendmail software and not to the systems that r= un the Sendmail daemon. Because the compromised system creates a tunnel to = the intruder-controlled system, the intruder may have a path through networ= k access controls.
The primary distribution site for Sendmail is
Sites that mirror the Sendmail source code are encouraged to verify the = integrity of their sources.
We strongly encourage sites that recently downloaded a copy of the Sendm= ail distribution to verify the authenticity of their distribution, regardle= ss of where it was obtained. Furthermore, we encourage users to inspect any= and all software that may have been downloaded from the compromised site. = Note that it is not sufficient to rely on the timestamps or sizes of the fi= le when trying to determine whether or not you have a copy of the Trojan ho= rse version.
The Sendmail source distribution is cryptographically signed with the fo= llowing PGP key:
pub 1024R/678C0A03 2001-12-18 Sendmail = Signing Key/2002 <sendmail@Sendmail.ORG>
Key fingerprint =3D 7B 02 F4 AA FC C0 22 DA 47 3E 2A 9A 9B 35 22 45
The Trojan horse copy did not include an updated PGP signature, so attem= pts to verify its integrity would have failed. The sendmail.org staff has v= erified that the Trojan horse copies did indeed fail PGP signature checks.<= /p>
In the absence of PGP, you can use the following MD5 checksums to verify= the integrity of your Sendmail source code distribution:
Correct versions:73e18ea78b2386b774963c8472cbd309 sendma= il.8.12.6.tar.gz
cebe3fa43731b315908f44889d9d2137 sendmail.8.12.6.tar.Z
8b9c78122044f4e4744fc447eeafef34 sendmail.8.12.6.tar.sig
As a matter of good security practice, the CERT/CC encourages users to v= erify, whenever possible, the integrity of downloaded software. For more in= formation, see
Egress filtering manages the flow of traffic as it leaves a network unde= r your administrative control.
In the case of the Trojan horse Sendmail distribution, employing egress = filtering can help prevent systems on your network from connecting to the r= emote intruder-controlled system. Blocking outbound TCP connections to port= 6667 from your network reduces the risk of internal compromised machines c= ommunicating with the remote system.
Sites are encouraged to build software from source code as an unprivileg= ed, non-root user on the system. This can lessen the immediate impact of Tr= ojan horse software. Compiling software that contains Trojan horses as the = root user results in a compromise that is much more difficult to reliably r= ecover from than if the Trojan horse is executed as a normal, unprivileged = user on the system.
If you believe a system under your administrative control has been compr= omised, please follow the steps outlined in
The CERT/CC is interested in receiving reports of this activity. If mach= ines under your administrative control are compromised, please send mail to= cert@cert.org with the following text included in the subject line: "[CERT#33376]".
This appendix contains information provided by vendors for this advisory= . As vendors report new information to the CERT/CC, we will update this sec= tion and note the changes in our revision history. If a particular vendor i= s not listed below, we have not received their comments.
Mac OS X and Mac OS X Server do not contain the vulnerability described = in this report.
We can confirm that Debian does *not* ship the version with the trojan h= orse. Our version predates it.
"Red Hat Linux has not distributed version 8.12.6 of sendmail and is the= refore not affected by this vulnerability"
A response to this advisory is available from our web site:
http://www.xerox.com/security= .
The CERT Coordination Center thanks the staff at the Sendmail Consortium for bringing this issue to our att= ention.
Feedback can be directed to the authors: Chad Dougherty, Marty Lind= ner.
Copyright 2002 Carnegie Mellon University.
Revision History
October 08, 2002: Initial release October 09, 2002: Fix simple error in sendmail.org URL October 09, 2002: Added Red Hat vendor statement October 09, 2002: Added Debian vendor statement October 14, 2002: Added Apple Vendor statement March 25, 2003: Added vendor statement from Xerox