[Full-Disclosure] RPM verification

From: Andrew Griffiths (full-disclosure@lists.netsys.com)
Date: 08/29/02 

From: full-disclosure@lists.netsys.com (Andrew Griffiths)
Date: Thu, 29 Aug 2002 21:59:53 +1000

This is a multi-part message in MIME format.
--------------010702040200050106040906
Content-Type: text/plain; charset=us-ascii; format=flowed
Content-Transfer-Encoding: 7bit

Hrm. Well, when I send it to myself to test if it would sign properly,
it didn't...
/me kicks himself.

Well, for those that care (if any) the attached doc and sig should work...

--------------010702040200050106040906
Content-Type: text/plain;
 name="rpm-fixed"
Content-Transfer-Encoding: 7bit
Content-Disposition: inline;
 filename="rpm-fixed"

Product: rpm
Version tested: 4.0.4

Description
-----------

        rpm is a powerful Package Manager, which can be used to
       build, install, query, verify, update, and erase individ-
       ual software packages. A package consists of an archive
       of files and meta-data used to install and erase the
       archive files. The meta-data includes helper scripts, file
       attributes, and descriptive information about the package.
       Packages come in two varieties: binary packages, used to
       encapsulate software to be installed, and source packages,
       containing the source code and recipe necessary to produce
       binary packages.

Problem
-------

        The user can be tricked by thinking that the package came from a trusted
source if the user either has gpg setup to automatically fetch keys from a
keyserver (and the attacker knows, or spams to a majority) or the attacker
initiates a conversation with the victim and the victim puts the attackers
public key in the same gpg database which does the verification of the signed
rpm package.

Example
-------

[andrewg@blackhole rpmzap]$ wget ftp://ftp.planetmirror.com/pub/redhat/redhat-7.3/en/os/i386/RedHat/RPMS/xloadimage-4.1-21.i386.rpm
--22:18:59-- ftp://ftp.planetmirror.com/pub/redhat/redhat-7.3/en/os/i386/RedHat/RPMS/xloadimage-4.1-21.i386.rpm
           => `xloadimage-4.1-21.i386.rpm'
Connecting to 127.0.0.1:3128... connected!
Proxy request sent, awaiting response... 200 OK
Length: 141,295 [audio/x-pn-realaudio-plugin]

    0K -> .......... .......... .......... .......... .......... [ 36%]
   50K -> .......... .......... .......... .......... .......... [ 72%]
  100K -> .......... .......... .......... ....... [100%]

22:18:59 (6.74 MB/s) - `xloadimage-4.1-21.i386.rpm' saved [141295/141295]

(
Here, I have done a squid redirection to insert the trojaned file.
 
We verify the downloaded RPM's as listed on RedHats GPG as of
Thu Aug 22 10:59:09 EST 2002, with rpm --checksig, or its equivalent, rpm -K.

http://www.redhat.com/solutions/security/news/publickey.html
http://www.redhat.com/solutions/security/news/betapublickey.html

Both listed the way to verify an rpm package, was to do rpm --checksig.

Also, a lot of other distros recommend --checksig to verify. Some
documentation needs to be updated.
)

[andrewg@blackhole rpmzap]$ rpm -K xloadimage-4.1-21.i386.rpm
xloadimage-4.1-21.i386.rpm: md5 gpg OK

(Everything looks fine... but..)

[andrewg@blackhole rpmzap]$ rpm -K xloadimage-4.1-21.i386.rpm -vv
D: Expected size: 141295 = lead(96)+sigs(248)+pad(0)+data(140951)
D: Actual size: 141295
xloadimage-4.1-21.i386.rpm:
MD5 sum OK: 2bd4c89da85d38f279974d3707e721e3
gpg: Signature made Mon 19 Aug 2002 20:07:22 EST using DSA key ID 5A98A001
gpg: Good signature from Andrew Griffiths (...) <nullptr@tasmail.com>"
[andrewg@blackhole rpmzap]$

(Not signed by RedHat... but the victim most likely doesn't think to check _who_
signed it.)

Fix(es)
-------

- Seperate gpg directory for GPG.
        For your ${HOME}, we'd do something like:
                mkdir .gpg-rpm
                chmod 700 .gpg-rpm
                rpm --import --homedir=${HOME}/.gpg-rpm RPM-GPG-KEY

        now we edit ${HOME}/.rpmmacros, and add/modify
                %_signature gpg
                %_gpg_path _your_home_dir_here/.gpg-rpm

        This way you can have seperate verification thingers, and rpm will
        automatically check the new setup.

As such, the fix is to wait until RPM 4.1, which fixes the problem.

Workarounds
-----------

- Maybe parsing gpg's output and printing out signing keyname by default.

- Whenever you check the packages, use say --checksig -vv to get the output
from gpg.

Notes
-----

- RedHat Network isn't vulnerable to this issue, as it does the setup like the
above.

- Future versions of RPM (4.1) will not be using gpg externally, but
will be maintaining the keys to verify internally.

- Following notification to Red Hat, they updated their verification
instructions to include the use of the -v flag.

- Following notification to OpenPKG, they updated their security page, and
their security advisory page.

- SuSE recommends to verify with rpm -v --checksig file.rpm. They were not
contacted.

- Caldera didn't appear to offer a gpg signature to verify the rpm's. They
didn't have a public key to encrypt stuff to them.

Greets
------

zen-parse - http://mp3.com/cosv
jaguar
remedy
sharrad - http://go.to/innerdreams

--------------010702040200050106040906
Content-Type: text/plain;
 name="rpm-fixed.asc"
Content-Transfer-Encoding: 7bit
Content-Disposition: inline;
 filename="rpm-fixed.asc"

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (GNU/Linux)
Comment: For info see http://www.gnupg.org

iEYEABECAAYFAj1uDFMACgkQoAeEnVqYoAG6tQCfRGQWXZpVXQFiw+RWX0UtIY4z
qugAn2GS1gVGoVHg//3OEcD/qPi4JU/D
=WU4L
-----END PGP SIGNATURE-----

--------------010702040200050106040906--

Relevant Pages

  • [Full-Disclosure] RPM verification
    ... Product: rpm ... ~ ual software packages. ... public key in the same gpg database which does the verification of the ... We verify the downloaded RPM's as listed on RedHats GPG as of ...
    (Full-Disclosure)
  • Re: verifying using gpg
    ... > rpm -K filename.rpm ... With all the source sites and keys not included in the iso/cdrom, ... had to turn off gpg verify in the yum config file. ...
    (Fedora)
  • Re: rpm --checksig not using gnupg trustdb
    ... You need to set up RPM to see the correct path for your gpg keys. ... /etc/rpm-keys" to update the keyring. ... rpm asks gpg to check the signature. ...
    (comp.os.linux.security)
  • Re: Yum gpg keys -
    ... My temporary solution to the problem is simply disabling the gpg check ... as I run into the problem with livna, dries, etc. ... You install them using rpm --import as root. ... correct path to the key file. ...
    (Fedora)
  • Re: SSH signature
    ... > I find the public key, and how do I verify the public key? ... With GPG, you can automatically fetch public keys from the keyserver network ... this merely pushes the problem of "how do I verify the ... ] sub 2048g/AA2B1C41 2001-02-26 ...
    (comp.os.linux.security)