Re: RPM aware rootkits?

From: Chris Green (cmg@uab.edu)
Date: 02/14/02


To: Anton Chuvakin <anton@chuvakin.org>
From: Chris Green <cmg@uab.edu>
Date: Wed, 13 Feb 2002 17:42:15 -0600

Anton Chuvakin <anton@chuvakin.org> writes:

> Hello Chris and all,
>
> Thanks for the message.
>
>>What won't work in this situation is attackers that have the md5sums
>>or signatures for various binaries on the machine that you are
>>intending to replace.
> Hmm, that was the point of my question, to some extent. How would an
> attacker (possesing the md5sums for valid packages and md5sumes for hacked
> packages) go about updating the rpm database to pass the ? Are there any
> tools (in rootkits or elsewhere) to accomplish it?

Ok. Lets take a step back in explanation. I used md5sums of the
binaries to mean the actual md5(filename) => stuff and not the md5sum
entry in the /usr/lib/rpm database.

The installed version of the package has checksums/permissions for
every file in the package. You can rebuild a package with the same
name and just upgrade over an old one and pass the rpm -V test.

The GPG check comes here:

% rpm --checksig wireless-tools-21-1.src.rpm
wireless-tools-21-1.src.rpm: md5 gpg OK

Only when you have the uninstalled rpm does checksig do anything for
you. It's designed to be able to trust that where you get a package
from is made by the person that says they made it.

Now, lets say your distro comes with you socks5-1.0r11-3.i386.rpm
installed. Now lets say you create a package named
socks5-1.0r11-4.i386.rpm.

when you do rpm -Uvh socks5-1.0r11-4.i386.rpm, you will uninstall the
old one and install the new one. You could also name it the same
thing as previously and install it, I'm just using this upgrade path
as an example

The md5sums of files to an external entity will be different (
assuming the code is different,etc ). However, these different md5sums
will be installled in the new rpm database and rpm -V socks5 will work
will return with no visible errors.

Now say an attacker does md5sum(file) instead of looking at the rpm
database. They will notice things have changed.

The easiest way to update it is to have custom rpms and let rpm do the
dirty work for you. There are tools that can work on the database and
there are rpmperl bindings that can also help manipulate.

-- 
Chris Green <cmg@uab.edu>
Laugh and the world laughs with you, snore and you sleep alone.



Relevant Pages

  • Re: Redhat to Freebsd
    ... >>researching security updates or in performing kernel or package updates. ... >>I assume it is only the Redhat distro that has the ease of RPM installation? ... So you can build from sources with ports, or install binaries ...
    (comp.unix.bsd.freebsd.misc)
  • Re: ./configure command
    ... The package is not available. ... machines which don't even have an OS at all, let alone RPM, ... There is not a "the tool to package and install on Fedora". ... If he wants to avoid trouble, ...
    (Fedora)
  • Re: Backing up whole system
    ... Amanda is packaged by Fedora and if Gene feels that the packages are ... fedora's rpm is/was incapable of handling the nuances of using only enough ... When an rpm package can build a complete user from scratch, ... Do you really believe that rpm can install every package under the sun, ...
    (Fedora)
  • Re: [SLE] deCSS
    ... >> Anyone know of a reasonably easy decss program to copy DVDs to my hard ... This let's you compile from source but converts it to an rpm ... Then instead of make install you type checkinstall. ... package to meet the dependencies it may not be recognized by the other ...
    (SuSE)
  • Re: Ubunto
    ... developing Java on Fedora? ... The javadoc is in a third package, ... The lower layer is RPM - RPM files and the 'rpm' command, which is all about taking RPM files and unpacking them into the filesystem. ... It will then transactionally install all of them ...
    (comp.lang.java.programmer)