Slashdot Mirror
CERT: Sendmail Distribution Contained Trojan Horse
Scoria writes "According to a CERT advisory published this afternoon, the public distribution of Sendmail 8.12.6 contained a trojan horse from September 28 to October 6. For more detailed information, please consult advisory CA-2002-28." This sounds very much like what happened to OpenSSH.
Many eyes = better security but only when many > 0
PGP signing is a good way to prevent trojaned software like this case. But I think the process to verify the software is too complicated and not easy for all users to use. Let me ask you this, when is the last time you checked the hash or PGP signature after you download a software?
For most people, never.... It would be great if we have automatic download tools to check signature as well (obviously, we need standard for storing the signature as well)
How does this sort of thing happen? Don't the projects use some type of revision control so they can tell who checked things in? I hope no intruder is putting Trojan horses into my Verilog RTL at work! No patches for silicon.
If it's not one thing, it's Steve's Mother
Thats always a good idea, but I have a deeper question. How do these patches make it into the CVS of these projects and who is doing it?
I can think of some likely players, namely those who feel that Linux/Unix is a threat to them.
Also can't forget about the black hats and chinese/russian/terrorist groups as well.
"You're on my side and the dark side, like Lando Calrissian?" --Gimpy, Undergrads
It's been a long time since I installed sendmail or inn or bind from sources. At some point I stopped checking MD5 signatures, and now I trust the major distros to do that for me. I sure hope they're more vigilant than me. And I used to be so paranoid... This is a nasty wake-up call.
It would be best to sign the MD5 with a PGP signature. They key they use may have also been compromised, but at least that adds another layer to security.
Is doing a
# netstat -a | grep 6667
all that is necessary to see if one has a the open port, or is there more to it than that?
I considered doing sendmail, but then I remembered how fucking thick the ORA sendmail book is and how complex it is, so I decided, "screw it, let's try postfix, I have never tried it before." If I had gone with sendmail, there would be some serious egg on my face tomorrow morning. We might be running MS exchange within a week if that had happened.
(Oh yeah, and postfix was pretty easy to set up.)
Ahem. Sorry. Couldn't resist. AAH! Don't mark it troll yet! Keep reading!
Ok, folks will say "Well here's a great example of a problem cryptography would prevent." Well as long as the guys inserting the trojans aren't contributing to your code base. Minor detail there. Keep in mind that a "trojan" can be as easy to code up as allowing a buffer overflow to take place (AND you have plausible deniability there.) Ok. So I'm paranoid.
So lets talk about the crypto side of things again. Since I'm paranoid and all that. Do you trust the project maintainer's system security? Reckon he allows anyone to log into his system? Do you trust their security and the network they come over? For that matter, reckon the CVS archive the code's stored on could be compromised? Do you see what we're up against yet? Paranoia...
Ok, lets say we've checked out his sytem and it's sterling. Key server/key management is a big pain in the ass right now. It'd be nice to have some infrastructure in place where I could go to a brick and mortar, establish my identity (Here's my passport, driver's license yadda yadda) and load MY PGP public key onto their server with their signature attached. Might even be worth a few bucks for me. That'd make that whole expiration thing pretty easy to deal with too.
It also seems to be that the US Postal Service would be the ideal venue for this infrastructure. As much of a pain in the ass as they are to deal with, it'd make the whole key revocation/renewal thing much easier. And it'd be a whole lot more secure than me asking my friends to sign my key via E-mail.
I'm trying to teach myself to set people on fire with my mind... Is it hot in here?
How long does it take for all the trojan infested code to propagate out of use?
I wonder how many admins download/install packages, go on vacation (missing all the warnings), and simply never hear of the problem.
I think it would be interesting to see some statistics on this topic.
If it's not one thing, it's Steve's Mother
Type cd /usr/ports/mail/sendmail && make install and it then downloads the source, and then checks what it downloaded against an md5 checksum that's kept on your machine before it applies patches and builds.
That's why MD5SUM files are signed with the appropriate public key, so you can check the integrity of the file using gpg. Yes its a pain, but for security critical stuff its worth it.
.tar.gz is, which is signed so the decryption can only take place with the appropriate key installed or provided. Redhat might for instance ship a distro that recognizes keys from itself, as well as sendmail, openssh, mozilla, etc. to make unpacking these signed archives automatic. If you grab a signed archive from me, you'd have to provide the decryption software with my public key to unpack it. You don't need to use it for everything, just security critical stuff. We have this in our browsers to protect end users, but we allow backdoors in through the...er...back door due to this oversight.
What we need is a new format, as universal for Unix as
Gentoo neatly gets around this problem by using the source directly, and since a lot of projects list md5sums of the source archives (such as sendmail 8.12.6), Portage can make sure that it gets the correct tarball.
Oh, and by the way:So, Gentoo had the right one on file all along. And, of course, Portage won't unpack files with the wrong md5sum, meaning Gentoo users were completely immune to this.
I realize that qmail wouldn't solve the problem of modified tarballs that allow trojans to come alive during builds (that's what md5s are for), but if you're really worried about security you'd probably be using qmail anyway. If you can prove me, the author, and everyone else who has a qmail fetish wrong, there's a prize in it for you.
After the number of open e-mail relays I've had to deal with, sendmail leaves a sour taste in my mouth. Using the blacklist that has no real regulation on it doesn't seem to help, either. Closing a relay makes users upset. Sendmail is a lose-lose situation, and now there's a trojan in it to top it off. Wee!
Trolls make great pets. Adopt one today!
Yeah, this guy looks pretty mean. Incidentally, unless it's been recently changed, 66.37.138.99 points to spatula.aclue.com:
Decisionism Inc. (ACLUE2-DOM)
4260 E. Evans Ave.
Denver, CO 80222
US
Domain Name: ACLUE.COM
Administrative Contact, Technical Contact:
Klein, Eli (NCMGTMOSXI) elijah@firstlink.com
4260 E. Evans Ave.
Denver, CO 80222
US
no phone no fax
Record expires on 17-Dec-2003.
Record created on 17-Dec-1998.
Database last updated on 8-Oct-2002 23:09:51 EDT.
Domain servers in listed order:
NS3.FIRSTLINK.COM 66.37.141.4
DENVER.FIRSTLINK.COM 66.37.143.67
Any chance this isn't the guy responsible (i.e., Eli had his machine h4x0r3d)? Talk about an ironic choice of domain names.... At least he's running Apache.
moto411.com
MD5 Checksums have a higher rate of collisions, both in the wild and artifically. A machine can be built for only around $100k or less which can find collisions in less than 24 hours. Hell, in a few years standard computers could probably generate collisions easily. SHA1 (Simple Hash Algorithm) is a much better alternative over MD5.
The previous version of MD5, MD4, was so flawed it is now considered "broken". "Dobbertin [Dob95] has shown how collisions for the full version of MD4 can be found in under a minute on a typical PC... Clearly, MD4 should now be considered broken.".
SHA1, while of the same family of hashes as MD4 and MD5, remains uncompromised by any research discoveries, and is widely used in many applications requiring the highest levels of security.
Gnutella, the File Sharing Protocol, uses SHA1 over MD5 for the same reasons I state here. A developer of Bitzi (the Metadata/Hash catalog) has also recommended to the Gnutella Developer Forum not to use MD5, but SHA1 instead. Thus, people should be using SHA1 instead of MD5. I've noticed some major websites and companies are using MD5 hash's now, such as Adobe and Roxio. I would recommend to them to change them to SHA1 instead, since Gnutella supports it (and the fact that it is a much more secure and stronger hash algorithm)... and they can use MAGNET URI's to link to the files on Gnutella.
oops. thought i was logged in.
previous post is from eli, yes, this is the owner of 66.37.138.99 *gasp*, and more importantly, no i'm not involved in the backdooring of sendmail in any way.
So, lets get this right...you're trying to blame a UNIX machine for a Mac/Windoze virus???
All of the virus scanning should be done by the vendor/distributor...
The infections generally happen before it gets pressed. That's why it's usually only a few files that are infected. Someone's machine is infected and due to either poor administration or what not, they get onto the pressed CD.
But, the truth is, mass-produced CDs don't go into a CD-R (ever wonder why there's no dye to be found on pressed CDs?)...They are pressed...they use molded metal "stamps" from a glass master...
The UNIX machines are most likely only running the pressing machines...now, if you're expecting me to belive that a virus can get onto the pressing machine through this process, I'ld like to know how...
Check out This link to read about the process of CD pressing.
I'm sure M$ has a reason for making it sound like they are using standard CD-Rs for this process...it probably makes it easier to blame a UNIX machine when a problem does arise...rather than telling ppl that one of your developers had an infected machine...
The trojan doesn't work like that, look at the code. It compiles and runs when you run "./Build". It doesn't matter what sendmail runs.
THe moral of the story is, Check the SIG files.. AND don't configure/compile software as ROOT. At least then it would have only been user level compromise.
If files from ftp.sendmail.org get infected, then people could probably get a bogus key as well.
This difference, though, is that one can download a public GPG key from a site (like sendmail.org or something) and continue using it to verify software over several versions.
Not only that, but public keys (or even complete keyrings containing public keys for groups of developers) can be obtained from multiple, different sources, all of which in turn are different and ideally independent of where one downloads the source tarball from.
This means one can obtain a developer's key or keyring from, say, a public key server (or two, or several), some ftp site (preferably a different non-mirror one from the tarball), a purchased CD, or any number of other places, check them against each other (make sure none disagree), and use them to check a download immediately, as well as 5 years from now.
The cracker would have to not only trojan the tarball, but also break into numerous independent key servers around the globe, numerous ftp sites around the globe, likely numerous web sites as well, and perhaps even various freenet nodes as well (if that is being used to distribute keys as well). And for those who anti up $5 for a CD with developers keys on it, they'd have to intercept the postal service and swap CDs as well (or crack the master CD before it goes to press).
Good luck. Even the NSA would probably have trouble pulling something like that off.
The Future of Human Evolution: Autonomy