[UNIX] Trust Issues with RH and Debian Package Managers
From: support@securiteam.comDate: 12/20/01
- Previous message: support@securiteam.com: "[NEWS] Magic Enterprise Multiple Vulnerabilities"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
From: support@securiteam.com To: list@securiteam.com Date: Thu, 20 Dec 2001 08:31:47 +0100 (CET)
The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion
When was the last time you checked your server's security?
How about a monthly report?
http://www.AutomatedScanning.com - Know that you're safe.
- - - - - - - - -
Trust Issues with RH and Debian Package Managers
------------------------------------------------------------------------
SUMMARY
"Magic Lantern" supposedly allows an FBI agent to access a computer
without requiring any physical access to it. The exact method is not yet
known, but rumors talk about some hacking work done while the program
"installs" itself on the target machine. The following is a proposed
method on how this might work, and is brought to the public's view in
order to make it clear how easy it is currently to create such a program.
DETAILS
To test the feasibility of such a scheme you need to set up a stock Debian
2.2r3 box, and a stock Red Hat 7.2 box. Both should be based on the
installation CDs produced at least a few months ago, so they will both be
vulnerable to the wu-ftpd exploit and would need to be upgraded for
production use.
The goal is simple: To play the part of the FBI, and trick our machines
into accepting a trojaned version of the new wu-ftpd package.
First, we set up a transparent proxy on our gateway box, which is used to
split our cable modem connection amongst our connecting machines. We used
a program called < http://squirm.foote.com.au/ > "squirm" to rewrite URLs
ending in .deb or .rpm so that they would be redirected to the local web
server, from which the trojaned .deb and .rpm files would be served.
Second, we produced trojaned .deb and .rpm files. The .deb file was
trivial to modify, as only a checksum stood between a valid hacked version
and us. The .rpm was a bit more difficult, because RedHat signs their
packages with a PGP key. However, once we rebuilt the package and did not
sign it with PGP, we had a fixed package.
Third, we went to the Debian box and typed 'apt-get update ; apt-get
upgrade'. After a few routine prompts, none of which triggered security
alerts, the box was rooted by our "custom" package.
Fourth, we went to the Redhat box and did an 'rpm -U' pointed at the
updates.redhat.com server. We got the trojaned RPM back, with no warnings
or prompt to warn that it hasn't been signed. In addition, we had an ftp
server with a new backdoor up in a matter of minutes.
To summarize, the FBI can easily set up a transparent proxy between you
and the Internet, and trick your OS into installing malware. You are
damned if you do and you are damned if you don't, because you need to
download the wuftpd-of-the-week sometime.
As a matter of comparison, our Windows 2000 box has no such vulnerability.
The first time we went to Windows Update, we checked the box that said,
"Always trust content from Microsoft Corporation." Therefore, only
Microsoft's real certificate will be accepted by our machine. Even if the
FBI forces Verisign to issue an impostor certificate, it will be detected
and thwarted.
Linux distributions need to band together and find a trusted individual
who will be responsible for signing all packages and verifying that they
do not contain backdoors. That is the only way to solve this issue.
This is a serious issue for Linux users and we believe it should have been
addressed years ago. That said, now is not too late and definitely not too
early. We look forward to seeing this feature in all future releases of
the major Linux distributions.
ADDITIONAL INFORMATION
The information has been provided by <mailto:dfeldman@ziplip.com>
dfeldman.
========================================
This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com
====================
====================
DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.
- Previous message: support@securiteam.com: "[NEWS] Magic Enterprise Multiple Vulnerabilities"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
|
