Re: RPM aware rootkits?From: Chris Green (firstname.lastname@example.org)
- Previous message: jon schatz: "Re: RPM aware rootkits?"
- In reply to: Anton Chuvakin: "Re: RPM aware rootkits?"
- Next in thread: Tim Lawless: "Re: RPM aware rootkits?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
To: Anton Chuvakin <email@example.com> From: Chris Green <firstname.lastname@example.org> Date: Wed, 13 Feb 2002 17:42:15 -0600
Anton Chuvakin <email@example.com> writes:
> Hello Chris and all,
> Thanks for the message.
>>What won't work in this situation is attackers that have the md5sums
>>or signatures for various binaries on the machine that you are
>>intending to replace.
> Hmm, that was the point of my question, to some extent. How would an
> attacker (possesing the md5sums for valid packages and md5sumes for hacked
> packages) go about updating the rpm database to pass the ? Are there any
> tools (in rootkits or elsewhere) to accomplish it?
Ok. Lets take a step back in explanation. I used md5sums of the
binaries to mean the actual md5(filename) => stuff and not the md5sum
entry in the /usr/lib/rpm database.
The installed version of the package has checksums/permissions for
every file in the package. You can rebuild a package with the same
name and just upgrade over an old one and pass the rpm -V test.
The GPG check comes here:
% rpm --checksig wireless-tools-21-1.src.rpm
wireless-tools-21-1.src.rpm: md5 gpg OK
Only when you have the uninstalled rpm does checksig do anything for
you. It's designed to be able to trust that where you get a package
from is made by the person that says they made it.
Now, lets say your distro comes with you socks5-1.0r11-3.i386.rpm
installed. Now lets say you create a package named
when you do rpm -Uvh socks5-1.0r11-4.i386.rpm, you will uninstall the
old one and install the new one. You could also name it the same
thing as previously and install it, I'm just using this upgrade path
as an example
The md5sums of files to an external entity will be different (
assuming the code is different,etc ). However, these different md5sums
will be installled in the new rpm database and rpm -V socks5 will work
will return with no visible errors.
Now say an attacker does md5sum(file) instead of looking at the rpm
database. They will notice things have changed.
The easiest way to update it is to have custom rpms and let rpm do the
dirty work for you. There are tools that can work on the database and
there are rpmperl bindings that can also help manipulate.
-- Chris Green <firstname.lastname@example.org> Laugh and the world laughs with you, snore and you sleep alone.