Posted on 10/09/2002 5:54:22 PM PDT by Bush2000
Hackers send Sendmail a message
Online vandals hacked into the primary download server for Sendmail.org and replaced key software with a Trojan horse, a Sendmail development team member said Wednesday. The apparent attack on Sendmail didn't leave a back door in the popular open-source e-mail software package, as previously believed, but compromised the download software on the Sendmail consortium's primary server so that every tenth request for source code would receive a modified copy in reply.
"The exploited code that we see is not in our (development) tree at all," said Eric Allman, chief technology officer of Sendmail Inc., which sells a version of the open-source e-mail server program, and a member of the Sendmail Consortium, the development group for the software. "It seemed to be going to the (Sendmail) host, but it was delivering a corrupted file that wasn't on our server anywhere."
The problem apparently only affects source code for version 8.12.6 of Sendmail downloaded between Sept. 28 and Oct. 6, according to an advisory posted by the Computer Emergency Response Team (CERT) Coordination Center on Tuesday.
While the Sendmail development group is only just starting its forensic analysis of the computer that hosted the files, Allman said that its current theory is that the FTP (file transfer protocol) server had been hacked. If a user tried to download the latest Sendmail source code from the ftp.sendmail.org server, a compromised copy of the code would be sent instead about 10 percent of the time.
"It was a little bizarre that way," said Allman.
If the evidence confirms the theory, the hack would definitely be a strange way to compromise a downloadable file, said Marc Maiffret, chief hacking officer for security software firm eEye Digital Security.
"I'm not sure why they would want to do that," he said.
A Trojan horse--like the instrument that led to the downfall of the city of Troy--is a program that appears to be a legitimate piece of software but in fact has unwanted functions that allow a company or hacker to access the victim's computer.
The FTP server compromised by this attack apparently provided people who requested downloads not with the Sendmail source file, but with a Trojan-horse copy. This copy included a non-Sendmail test component that, when compiled, started a program that opens a covert channel to another server on the Internet. That server has since been configured to block the covert connection, according to messages posted to the Bugtraq security list.
Taking into account the 1-in-10 ratio, about 200 people may have downloaded the corrupted software over that eight-day period, said Sendmail's Allman. The development group is trying to contact everyone who downloaded the source code.
Both Sendmail and the CERT Coordination Center stressed that any software that is downloaded from the Internet should be verified using common cryptographic tools and the file's signature.
"Anyone that downloaded the code and followed good software practices would have found that this software was bogus," said Marty Linder, team leader for incident handling for CERT Coordination Center.
Linder stressed that, while the open development projects that give open-source its name may seem to invite problems like those of Sendmail, companies working on proprietary software have also run into problems.
In October 2000, Microsoft's source code may have been compromised by a hacker that penetrated the company's network allegedly with the help of a malicious program known as the Qaz Trojan.
"The same thing can happen if an intruder compromises the source tree of a private company," Linder said. "It's just another method for injecting badness into software."
Hey, aren't my detective skills even better than the last guys?
If they hacked it via some bug, then I guess it's a bug.
At least with open source, I don't have to trust the author. I can verify the integrity of the source myself. But anywho, I use Postfix instead of Sendmail because it has a higher level of SMTP security. A simple MD5 checksumming of the source would have shown the user that the source was corrupt. Nice thing about open source, the authors want you to help check the integrity. Mutual responsibility.
As for the hack, this was a vanity job. A sort of in your face, look at how "elite" I am.
I'll admit I'm just guessing here.
I take it you don't use much open source code then, and surely not linux and especially apache. If you do use those, how long did it take you to review the entire code? Also which bugs did you find? Since I don't have the time, can I assume it's safe since you've reviewed the code (if you did)?
Doesn't this article say sendmail.org was the very site that was hacked. In that case MD5 is a false sense of security--doh!
The only point I'm making is MD5 is good to let you confirm you got a bad copy, but it doesn't guarantee a good copy.
Simple solution. Trust but verify. New 8.0 distro from Red Hat has disk checking software on the disk. Runs a test on the disks to verify they are originals copies, not trojans.
So a developer of the source can plant bugs/backdoors. Fancy that. News flash ... Bank tellers can steal from bank vaults. Who would have thought of that.
Unfortunately, what you get from the micro-crapware company can't be verified, or fixed. SP1 for XP unfixes some already installed fixes and leaves other security holes intact. You need to try and find out what got un-installed and find out what to do about it. The update does this without telling. Wonder why? didn't know? couldn't fix them all?
Penguin bites are fatal.
snooker
Thank you.
As far as this being "very informative" or "good"? How? 200 people may have downloaded it? Wow. Make it 2000. Stop the presses?
Bush2000 is screaming AGAIN about something that is not Microsoft. And what's the point? It has nothing to do with the purpose of this site. But let's pretend it did. He does not give much info. on the exploit itself. Or, points out how puny the event was. No, he makes a big red header as if this is something significant. It's not. And while you may refer to this as "a change of pace" it's not for him. This is about all he does here.
It's like he has Turrets Syndrome.
I've only recently begun to notice that he posts the same basic thing over and over. I asked him about this and he sent me email basically saying he like to start OS wars. He said he "trolls" here in that regard. All I've asked is why? And he has never really answered that.
It's not a question I would not ask of others. You, or posters like JohnHuang2, kattracks, MeeknMing, sarcasm, HAL9000, etc. who post on topics this site was built for.
I like this site and most of the people that come here. I think this site is special and Jim Robinson someone very unique. I read the things posted here. I'm just tired of seeing the same stuff from Bush2000. He has made it very clear to me the only reason he posts this kind of thing is for the conflicts it starts. Why?
That's the best part. With mailling lists and user groups, you have many eyes, some better some not, looking at the source code. The checksums are a must when receiving code. Also I tend to use not the "latest and greatest" unless there is a compelling security reason to do so. I let others be crash test dummies. With a production environment, if it ain't broke, don't fix it!
But it wasn't discovered by more skilled eyes than yours, apparently.
Yet it was. That is the point. It was discovered quickly and the information about the hack was immediately released. Something you won't get from a closed source product. Sendmail isn't worried about a black eye in front of investors.
I suppose the application of sufficient computing power could crack the author's key. If you had that much power, however, you would be better off completely subverting the international funds transfer network, or bank atms, or vpns, etc.
Disclaimer: Opinions posted on Free Republic are those of the individual posters and do not necessarily represent the opinion of Free Republic or its management. All materials posted herein are protected by copyright law and the exemption for fair use of copyrighted works.