Boston Linux & Unix (BLU) Home | Calendar | Mail Lists | List Archives | Desktop SIG | Hardware Hacking SIG
Wiki | Flickr | PicasaWeb | Video | Maps & Directions | Installfests | Keysignings
Linux Cafe | Meeting Notes | Blog | Linux Links | Bling | About BLU

BLU Discuss list archive


[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: package manager attacks



 On Fri, Jul 11, 2008 at 5:17 PM, Matthew Gillen <[hidden email]> wrote: 
> Saw this on slashdot: 
> http://www.cs.arizona.edu/people/justin/packagemanagersecurity/attacks-on-package-managers.html
> 
> They make some interesting points, but in the end it's a pretty weak attack, 
> and wouldn't work in the real world. 

Actually, this appears to be a quite valid attack method, especially 
if you sit on the network with the machine(s) you want to attack.  I 
think this type of stuff has been discussed previously, but they just 
did more formal academic research and published it.  It wouldn't be 
too difficult to write a tool that does this, if they haven't already 
released their code. 

> First, I don't think any package manger will "downgrade" without significant 
> user intervention, so just providing access to old filelists (and the files 
> themselves) is not sufficient to install broken software on a client. 

I think the main point is that you are installing valid signed 
software -- just a more outdated package.  In fact, a proof of concept 
to install an old openssl package would be quite disastrous!!!  What I 
don't understand is why APT doesn't match up the version requested 
with the DEB info within the package.  If I request version 1.2.3, 
someone MITMs me, and then I receive a valid signed 1.2.0 package, wtf 
didn't APT say "you bait and switched me dude!!!" and then fail? 
Hrmm... 

> That leaves the DoS attack where you could simply prevent clients from 
> upgrading.  The problem there is that yum, apt, etc, all use rotating 
> mirrors, so a given client would have to somehow keep getting "bad guy" 
> mirrors (just once getting to a "good guy" mirror and they get the critical 
> updates).  You'd have to have a significant number of these "dummy" servers 
> to keep clients from updating, and by that point you'd be detected (it would 
> be trivial to identify "dummy" servers once you know that you need to look). 

Again, dnsspoof wins.  Look at how metasploit.com got hijacked 
recently :-)  That could have been a much worse situation for H D 
Moore, if the LAN attacker was cooler.  But hdm is slick and caught 
the attack within minutes I believe... 
-- 
Kristian Erik Hermansen 
-- 
CISSP, CEPT, CREA, CEH, Linux+, A+, QGCS, ACSA, this is getting ridiculous... 
http://kristian-hermansen.com

-- 
This message has been scanned for viruses and 
dangerous content by MailScanner, and is 
believed to be clean. 

_______________________________________________ 
Discuss mailing list 
[hidden email] 
http://lists.blu.org/mailman/listinfo/discuss
 


BLU is a member of BostonUserGroups
BLU is a member of BostonUserGroups
We also thank MIT for the use of their facilities.

Valid HTML 4.01! Valid CSS!



Boston Linux & Unix / webmaster@blu.org