View Source

Original release date: October 08, 2002<br>
Last revised: March 25, 2003<br>
Source: CERT/CC<br>

<p>A complete revision history is at the end of this file.</p>

<h2>Overview</h2>

<p>The CERT/CC has received confirmation that some copies of the
source code for the Sendmail package were modified by an intruder to
contain a Trojan horse.</p>

<p>Sites that employ, redistribute, or mirror the Sendmail package
should immediately verify the integrity of their distribution.</p>

<h2>I. Description</h2>

<p>The CERT/CC has received confirmation that some copies of the
source code for the Sendmail package have been modified by an intruder
to contain a Trojan horse.

<p>The following files were modified to include the malicious
code:</p>

<blockquote><font face="courier">
	sendmail.8.12.6.tar.Z<br>
	sendmail.8.12.6.tar.gz<br>
</font></blockquote>

<p>These files began to appear in downloads from the FTP server
ftp.sendmail.org on or around September 28, 2002.  The Sendmail
development team disabled the compromised FTP server on October 6,
2002 at approximately 22:15 PDT.  It does not appear that copies
downloaded via HTTP contained the Trojan horse; however, the CERT/CC
encourages users who may have downloaded the source code via HTTP
during this time period to take the steps outlined in the <a
href="#solution">Solution</a> section as a precautionary measure.</p>

<p>The Trojan horse versions of Sendmail contain malicious code that
is run during the process of building the software. This code forks a
process that connects to a fixed remote server on 6667/tcp.  This
forked process allows the intruder to open a shell running in the
context of the user who built the Sendmail software.  There is no
evidence that the process is persistent after a reboot of the
compromised system.  However, a subsequent build of the Trojan horse
Sendmail package will re-establish the backdoor process.</p>

<h2>II. Impact</h2>

<p>An intruder operating from the remote address specified in the
malicious code can gain unauthorized remote access to any host that
compiled a version of Sendmail from this Trojan horse version of the
source code.  The level of access would be that of the user who
compiled the source code.</p>

<p>It is important to understand that the compromise is to the system
that is used to build the Sendmail software and <b>not</b> to the
systems that run the Sendmail daemon.  Because the compromised system
creates a tunnel to the intruder-controlled system, the intruder may
have a path through network access controls.</p>

<a name="solution"></a>
<h2>III. Solution</h2>

<h4>Obtain an authentic version of Sendmail</H4>

<p>The primary distribution site for Sendmail is </p>

<dl><dd>
<a href="http://www.sendmail.org/">http://www.sendmail.org/</a>
</dl>

<p>Sites that mirror the Sendmail source code are encouraged to verify
the integrity of their sources.</p>

<h4>Verify software authenticity</h4>

<p>We strongly encourage sites that recently downloaded a copy of the
Sendmail distribution to verify the authenticity of their
distribution, regardless of where it was obtained. Furthermore, we
encourage users to inspect any and all software that may have been
downloaded from the compromised site.  Note that it is not sufficient
to rely on the timestamps or sizes of the file when trying to
determine whether or not you have a copy of the Trojan horse
version.</p>

<h5>Verify PGP signatures</h5>
<p> The Sendmail source distribution is cryptographically signed
with the following PGP key:

<font face="courier">
<blockquote>

pub  1024R/678C0A03 2001-12-18 Sendmail Signing Key/2002 &lt;sendmail@Sendmail.ORG&gt;<br>
     Key fingerprint = 7B 02 F4 AA FC C0 22 DA  47 3E 2A 9A 9B 35 22 45
		</blockquote></font>

<p>The Trojan horse copy did not include an updated PGP signature, so
attempts to verify its integrity would have failed.  The sendmail.org
staff has verified that the Trojan horse copies did indeed fail PGP
signature checks.</p>

<h5>Verify MD5 checksums</h5>

<p>In the absence of PGP, you can use the following MD5 checksums to
verify the integrity of your Sendmail source code distribution:</p>

<font face="courier">
Correct versions:<br>
<blockquote>
		73e18ea78b2386b774963c8472cbd309 sendmail.8.12.6.tar.gz<br>

		cebe3fa43731b315908f44889d9d2137 sendmail.8.12.6.tar.Z<br>

		8b9c78122044f4e4744fc447eeafef34 sendmail.8.12.6.tar.sig<br>

              </font>
          </blockquote>

<p>As a matter of good security practice, the CERT/CC encourages users
to verify, whenever possible, the integrity of downloaded software.
For more information, see
<dl><dd>
<a href="http://www.cert.org/incident_notes/IN-2001-06.html">http://www.cert.org/incident_notes/IN-2001-06.html</a>
</dl>

<h4>Employ egress filtering</h4>

<p>Egress filtering manages the flow of traffic as it leaves a network
under your administrative control.</p>

<p>In the case of the Trojan horse Sendmail distribution, employing
egress filtering can help prevent systems on your network from
connecting to the remote intruder-controlled system.  Blocking
outbound TCP connections to port 6667 from your network reduces the
risk of internal compromised machines communicating with the remote
system.</p>

<h4>Build software as an unprivileged user</h4>

<p>Sites are encouraged to build software from source code as an
unprivileged, non-root user on the system.  This can lessen the
immediate impact of Trojan horse software.  Compiling software that
contains Trojan horses as the root user results in a compromise that
is much more difficult to reliably recover from than if the Trojan
horse is executed as a normal, unprivileged user on the system.

<h3>Recovering from a system compromise</h3>

<p>If you believe a system under your administrative control has been compromised, please follow the steps outlined in</p>

<dl><dd><a href="http://www.cert.org/tech_tips/win-UNIX-system_compromise.html">Steps for Recovering from a UNIX or NT System Compromise</a></dd></dl>

<h2>Reporting</h2>

<p>The CERT/CC is interested in receiving reports of this activity. If
machines under your administrative control are compromised, please
send mail to <a href="mailto:cert@cert.org?subject=[CERT%2333376]">cert@cert.org</a> with the following text included in the
subject line: "<a href="mailto:cert@cert.org?subject=[CERT%2333376]">[CERT#33376]</a>".</p>


<a name="vendors"></a>
<h2>Appendix A. - Vendor Information</h2>

   <p>

     This appendix contains information provided by vendors for this
     advisory.  As vendors report new information to the CERT/CC, we
     will update this section and note the changes in our revision
     history.  If a particular vendor is not listed below, we have not
     received their comments.

   </p>
<a name="apple"></a>
<h4><a href="http://www.apple.com/">Apple Computer, Inc.</a></h4>
<blockquote>
<p>
Mac OS X and Mac OS X Server do not contain the vulnerability
described in this report.
</p>
</blockquote>

<a name="debian"></a>
<h4><a href="http://www.debian.org/">Debian</a></h4>
<blockquote>
<p>
We can confirm that Debian does *not* ship the version with the trojan
horse.  Our version predates it.
</p>
</blockquote>
<!-- end vendor -->

<a name="redhat"></a>
<h4><a href="http://www.redhat.com/">Red Hat Inc.</a></h4>
<blockquote>
<p>
"Red Hat Linux has not distributed version 8.12.6 of sendmail and is
therefore not affected by this vulnerability"
</p>
</blockquote>
<!-- end vendor -->

<a name="xerox"></a>
<h4><a href="http://www.xerox.com/">Xerox</a></h4>

<blockquote>
<p>A response to this advisory is available from our web site:
<blockquote>
<a href="http://www.xerox.com/security">http://www.xerox.com/security</a>.
</blockquote>
</p>
</blockquote>
<!-- end vendor -->

<hr noshade>

<p>
The CERT Coordination Center thanks the staff at the <a href="http://www.sendmail.org">Sendmail Consortium</a> for bringing this issue to our attention.
</p>

<p></p>

<hr noshade>
<p>
Feedback can be directed to the authors: <a
href="mailto:cert@cert.org?subject=CA-2002-28%20Feedback%20CERT%2333376">Chad Dougherty, Marty Lindner</a>.
</p>


<!--#include virtual="/include/footer_nocopyright.html" -->

<p>Copyright 2002 Carnegie Mellon University.</p>

<p>Revision History
<pre>
October 08, 2002: Initial release
October 09, 2002: Fix simple error in sendmail.org URL
October 09, 2002: Added Red Hat vendor statement
October 09, 2002: Added Debian vendor statement
October 14, 2002: Added Apple Vendor statement
March 25, 2003:   Added vendor statement from Xerox
</pre>
</p>