Hackers send Sendmail a message [Open Source Software Hacked]</

CNET News.com ^ | October 9, 2002, 4:21 PM PT | Robert Lemos

[Bush2000]

Hackers send Sendmail a message

Online vandals hacked into the primary download server for Sendmail.org and replaced key software with a Trojan horse, a Sendmail development team member said Wednesday. The apparent attack on Sendmail didn't leave a back door in the popular open-source e-mail software package, as previously believed, but compromised the download software on the Sendmail consortium's primary server so that every tenth request for source code would receive a modified copy in reply.

"The exploited code that we see is not in our (development) tree at all," said Eric Allman, chief technology officer of Sendmail Inc., which sells a version of the open-source e-mail server program, and a member of the Sendmail Consortium, the development group for the software. "It seemed to be going to the (Sendmail) host, but it was delivering a corrupted file that wasn't on our server anywhere."

The problem apparently only affects source code for version 8.12.6 of Sendmail downloaded between Sept. 28 and Oct. 6, according to an advisory posted by the Computer Emergency Response Team (CERT) Coordination Center on Tuesday.

While the Sendmail development group is only just starting its forensic analysis of the computer that hosted the files, Allman said that its current theory is that the FTP (file transfer protocol) server had been hacked. If a user tried to download the latest Sendmail source code from the ftp.sendmail.org server, a compromised copy of the code would be sent instead about 10 percent of the time.

"It was a little bizarre that way," said Allman.

If the evidence confirms the theory, the hack would definitely be a strange way to compromise a downloadable file, said Marc Maiffret, chief hacking officer for security software firm eEye Digital Security.

"I'm not sure why they would want to do that," he said.

A Trojan horse--like the instrument that led to the downfall of the city of Troy--is a program that appears to be a legitimate piece of software but in fact has unwanted functions that allow a company or hacker to access the victim's computer.

The FTP server compromised by this attack apparently provided people who requested downloads not with the Sendmail source file, but with a Trojan-horse copy. This copy included a non-Sendmail test component that, when compiled, started a program that opens a covert channel to another server on the Internet. That server has since been configured to block the covert connection, according to messages posted to the Bugtraq security list.

Taking into account the 1-in-10 ratio, about 200 people may have downloaded the corrupted software over that eight-day period, said Sendmail's Allman. The development group is trying to contact everyone who downloaded the source code.

Both Sendmail and the CERT Coordination Center stressed that any software that is downloaded from the Internet should be verified using common cryptographic tools and the file's signature.

"Anyone that downloaded the code and followed good software practices would have found that this software was bogus," said Marty Linder, team leader for incident handling for CERT Coordination Center.

Linder stressed that, while the open development projects that give open-source its name may seem to invite problems like those of Sendmail, companies working on proprietary software have also run into problems.

In October 2000, Microsoft's source code may have been compromised by a hacker that penetrated the company's network allegedly with the help of a malicious program known as the Qaz Trojan.

"The same thing can happen if an intruder compromises the source tree of a private company," Linder said. "It's just another method for injecting badness into software."

[Bush2000]

My comments *aren't* aimed at every Linux or Mac user. Just the strident ones who throw stones at other platforms when their own glass house needs tending...

[snooker]

Yep, we pretty much agree. There are some that can review the source code. What for? I can review the code and look for obvious signs of problems, but who has the time. Best to pay a reputable company to do it for you.

But the advantage of having custom mods made in open source code is very real. And the ability to fix bugs which others may call 'features' is very real. This can result in significant competitive advantage to the user of the mods.

The adherance to open standards is also a very real advantage. Your data is hostage to no one.

But by and large the real advantage to open source is you get a choice. The closed source one size only, gives you no choice. Might work for games, but is wanting for real work.

snooker

[for-q-clinton]

As I said earlier I think we pretty much agree on those points.

But there are also good points to COTS (commercial off the shelf) software. For example, deployments. Try to deploy linux and manage it for 100,000 desktops. It's much easier to manage with Windows XP and 3rd party management tools. Plus regardless of what others say it's much easier to use then linux and is just as reliable if not more(assuming you have good IT practices).

Also cost. Yes, cost. Depending on size of roll out and complexity of the application, COTS is often cheaper to buy, maintain, and manage than open source software. Yes, there are times when open source is the more cost effective solution, but often times it's not. Especially in the support arena. If you need someone to manage your windows apps it's probably cheaper than trying to find someone to manage your customized open source app.

There are pros and cons to both. I think MS knows this and they strive to fill the weaknesses in their model. For example, as I mentioned earlier I believe they allow enterprise customers access to their source code.

[rdb3]

For example, deployments. Try to deploy linux and manage it for 100,000 desktops.

100,000 Linux desktops? Stipulate that the desktops would be Red Hat. Give me a team of 25 RHCE sysadmins and I'd have no problem managing an enterprise like that. None at all.

[HAL9000]

What happens if a black hat hacker reads the source code and finds a buffer overrun opportunity and then discovers he can get admin permissions with that buffer overrun?

Obviously, it's bad news for the anyone running that software. If the attacker can get administrative priviliges, they can do anything.

Do the white hats automagically find out at the same instance and have a patch that automagically deploys to all machines that require it?

It's highly unlikely they would discover the same problem at the same instant. But if someone is the victim of an attack, access to the source code can help (a) determine how the attack was achieved and (b) establish effective countermeasures.

So basically I'm asking how does the open source world manage the hotfix process and what do they do to ensure that the bad guys don't use the source code for bad things?

In my opinion, the best defenses are good design methodologies, good programming practices, good testing and peer review.

Input/Output functions, memory moves and other potentially dangerous operations should use good defensive practices like bounds checking. Some languages like Java are designed to encourage safer programming practices. (Microsoft is notorious for their unsafe design and programming practices.)

Data suites should be developed for testing each version of the software and the results should be compared with previous versions. The test data should include invalid data, attempts to overflow buffers, etc.

Most of the key open source network applications (FTP, Apache, rlogin, etc.) do benefit from peer review. Thousands of security issues have been discovered and fixed before the black hats were able to exploit them.

Trustworthy sources of distribution and checksums of distributions are beneficial. That was helpful in catching the sabotaged Sendmail distribution before it became widespread.

[stainlessbanner]

Right on, rdb3. I would rather manage large environments with unix/linux that microsoft. The command line is much more powerful than point and click, if you have the knowledge.

[stainlessbanner]

Just curious, which Microsoft tool are you using to deploy/manage 100k desktops?

I find open source inherently easier to support b/c of the large user community and willingness to share solutions. With COTS, I am often limited to the vendor's tech team, and at their mercy to solve issues.

[isthisnickcool]

You may write checks to techies, but you surely don't understand their lingo.

You are right. I don't "understand their lingo" in the way you describe. I don't have anyone that juvenile working for me.

[Liberal Classic]

No, Bush2000, I know that in business competition is often spoken of in warlike terms, but come on. That's pretty rude, don't you think?

[Bush2000]

No, Bush2000, I know that in business competition is often spoken of in warlike terms, but come on. That's pretty rude, don't you think?

Maybe to the effete among us who have trouble differentiating between metaphor and reality.

[Bush2000]

You are right. I don't "understand their lingo" in the way you describe. I don't have anyone that juvenile working for me.

Of course not. Who would want to work for a humorless guy like you? Have you resorted to banning laughter yet?

[isthisnickcool]

Of course not. Who would want to work for a humorless guy like you? Have you resorted to banning laughter yet?

Humorless is starting threads like this just to cause fights between folks. Or using a forum like this to wage your silly little "holy war". A "war" between Microsoft and "them". A war that's mostly in your head. Because no matter how many times you post your love of Microsoft or your dislike for what is not Microsoft it won't matter.

As much as you wish, nothing you do will change the way the market runs. Nothing. You have no control. Zero.

Humorless? Me? Nah!

Bush2000 is The Microsoft Guy Raging his "holy war" for Bill Gates.