Gentoo Forums
Gentoo Forums
Gentoo Forums
Quick Search: in
Gentoo Linux Insecurities
View unanswered posts
View posts from last 24 hours

Goto page 1, 2  Next  
Reply to topic    Gentoo Forums Forum Index Gentoo Chat
View previous topic :: View next topic  
Author Message
RyanBarnard
n00b
n00b


Joined: 28 Sep 2004
Posts: 6

PostPosted: Tue Sep 28, 2004 7:55 pm    Post subject: Gentoo Linux Insecurities Reply with quote

I would like to direct peoples attention to a post by Tom St. Denis in the sci.crypt newsgroup. The link to his post is: http://groups.google.com/groups?dq=&hl=en&lr=&ie=UTF-8&group=sci.crypt&selm=5tednRIQYqHA-sTcRVn-gQ%40rogers.com

And I will paste his post into this message at the bottom.

Is this true? Does the Gentoo ports system need some rethinking? I've been running Gentoo for a few months now on multiple machines, and I definitely don't want to have to worry about possible trojan on my system.

Ryan
-------------------------------------------------------
From: Tom St Denis (tomstdenis@iahu.ca)
Subject: Gentoo Linux insecurities...
Newsgroups: sci.crypt
Date: 2004-09-28 06:30:06 PST

This note is mostly based off of research by Dan Kaminsky [so he should
get the credit]. I just turned it into an attack on Gentoo.

If you look at the collisions in MD5 you'd think so what. Just a few
bits in odd places. Can't forge signatures. But you can [as Dan
pointed out to me] turn this into a real attack. In particular you can
really hurt Gentoo with it.

Some basics... if x != y and md5(x) == md5(y) then md5(x+q) == md5(y+q).

Simple right?

Ok now onto gentoo. Gentoo is a "ports" system which uses ebuild
scripts to download, configure and install [source based] packages. It
checks the md5sum of files to make sure the downloads were correct.
Here's the trick though.

Suppose you have two files which are made up of

vec1, vec2 == two payloads with the difference that causes the collision
header == file header + shell script to do work
payload == encoded payload. Actually it has two seperate payloads
inside it. One encoded with sha1(vec1) as the key for AES, the other
with sha1(vec2) as the key. You can store a simple MAC so you can tell
them apart at runtime.

Now you make two ebuild packages

package1 = header || vec1 || payload
package2 = header || vec2 || payload

Now you hand off package1 to a gentoo developer. It uses the sha1 of
the vec finds the "legit" payload [by testing macs] and installs that.

Gentoo guy likes your package and submits it. Gentoo user downloads
package. Accept now you swapped package1 for package2 on your site.
They have the same MD5 sum so you don't know any different. Now you
just ran/installed a trojaned program as root on gentoo.

Really what they should do is GPG sign the ebuild scripts and their
packages.

E.g. Mike Frysinger is the maintainer for LibTomCrypt in portage. He
should as part of his roll test out the package then sign the .bz2 and
place that in the ebuild. His GPG key would be signed by a master key
which makes the Gentoo installed ISOs [e.g. web-o-trust].

Anyways this is some scary stuff since I use Gentoo on all of my boxes.
I always knew that md5sum based way was bad but now it's actually very
practical to attack Gentoo users.

Tom
Back to top
View user's profile Send private message
pjp
Administrator
Administrator


Joined: 16 Apr 2002
Posts: 16117
Location: Colorado

PostPosted: Tue Sep 28, 2004 7:57 pm    Post subject: Reply with quote

Moved from Networking & Security.
_________________
lolgov. 'cause where we're going, you don't have civil liberties.

In Loving Memory
1787 - 2008
Back to top
View user's profile Send private message
truekaiser
l33t
l33t


Joined: 05 Mar 2004
Posts: 664

PostPosted: Tue Sep 28, 2004 8:03 pm    Post subject: Reply with quote

the ebuild will be hard masked unstable preventing all the casual installs. only the ones who are actualy williing to test the package will download it, find the trojen and thus the ebuild will be removed before it does widespread harm.
Back to top
View user's profile Send private message
richk449
Guru
Guru


Joined: 24 Oct 2003
Posts: 345

PostPosted: Tue Sep 28, 2004 8:27 pm    Post subject: Reply with quote

The file could be changed at any time - perhaps after the package has become "stable". The exploit is simply a way to create two packages with different contents but the same MD5. It seems dangerous to me, but I am no expert.
Back to top
View user's profile Send private message
thrasher6670
Apprentice
Apprentice


Joined: 04 Aug 2003
Posts: 269
Location: London, Ontario

PostPosted: Tue Sep 28, 2004 8:33 pm    Post subject: Reply with quote

It would be a little difficult for anyone to do this

First they would have to create a "script" that does the malicious cod ... lets go with "rm -Rf /" to make it easy, this person then needs to make a version of the code that does nothing... say a script that contains nothing but commented lines... and somehow these 2 scripts need to match md5s... It _Could_ be done, but it would take a damn while for someone to find it, years infact.

and as far as GPG digning the package... I think that would be a little difficult to get done as enough of the ebuilds download directly from the website of the program and not a portage mirror.


I'm much more concerned that someone will hack an rsync mirror and injects a little malicious ebuild into the mix, it seems much more plausable
_________________
Gentoo-Portage.com - Where the portage meets the web
Gentoo Wiki
Back to top
View user's profile Send private message
richk449
Guru
Guru


Joined: 24 Oct 2003
Posts: 345

PostPosted: Tue Sep 28, 2004 8:46 pm    Post subject: Reply with quote

thrasher6670 wrote:
First they would have to create a "script" that does the malicious cod ... lets go with "rm -Rf /" to make it easy, this person then needs to make a version of the code that does nothing... say a script that contains nothing but commented lines... and somehow these 2 scripts need to match md5s... It _Could_ be done, but it would take a damn while for someone to find it, years infact.


My understanding is that a method had recently been introduced to produce MD5 collisions in a relatively short time, at least for one specific case: If you can modify two data sets, it makes it relatively easy to "tweak" them so that they will collide. In general, this isn't that useful, since an attacker doesn't have access to the original data sets. In the case described above though, it is very useful.

http://www.freedom-to-tinker.com/archives/000664.html
Back to top
View user's profile Send private message
spb
Retired Dev
Retired Dev


Joined: 02 Jan 2004
Posts: 2135
Location: Cambridge, UK

PostPosted: Tue Sep 28, 2004 9:25 pm    Post subject: Reply with quote

Yes, this would be possible, but would require some non-trivial effort. It would also require the person who wants to carry out the attack to be the maintainer of a relatively high-quality software package. Now, that's not impossible, but it's unlikely. It's still a risk though, which is why support for GPG signing of ebuilds and distfiles is in development at the moment.
Back to top
View user's profile Send private message
chunderbunny
Veteran
Veteran


Joined: 31 May 2004
Posts: 1281
Location: 51°24'27" N, 0°57'15" W

PostPosted: Tue Sep 28, 2004 9:29 pm    Post subject: Reply with quote

It is inevitable that any hashing algorithm will one day be rendered obsolete by new techniques and technology which can easily defeat the algorithm. In the case MD5 sums of portage ebuilds and source code I think we are currently safe. At the moment it is only possible to generate two file with the same MD5 hash if the difference between the files is very small (I'm talking about 4 bytes.) The damage could do with 4 bytes of code is very small.

However, this will not always be the case. It would be prudent of the Gentoo team to start thinking about how we can switch to a better hashing algorithm now, rather than when MD5 exploits are far more widespread.
Back to top
View user's profile Send private message
Carlo
Developer
Developer


Joined: 12 Aug 2002
Posts: 3356

PostPosted: Tue Sep 28, 2004 9:34 pm    Post subject: Reply with quote

That's correct and likely there will be another hash added beside md5 - additional to the efforts to introduce a gpg signing infrastructure.
_________________
Please make sure that you have searched for an answer to a question after reading all the relevant docs.
Back to top
View user's profile Send private message
ciaranm
Retired Dev
Retired Dev


Joined: 19 Jul 2003
Posts: 1719
Location: In Hiding

PostPosted: Tue Sep 28, 2004 9:46 pm    Post subject: Reply with quote

Yes, so 'all' you've got to do is generate two valid tarballs that have the same length and md5sum...
Back to top
View user's profile Send private message
truekaiser
l33t
l33t


Joined: 05 Mar 2004
Posts: 664

PostPosted: Tue Sep 28, 2004 10:29 pm    Post subject: Reply with quote

ciaranm wrote:
Yes, so 'all' you've got to do is generate two valid tarballs that have the same length and md5sum...


do i detect a hint of sarcasm their?
Back to top
View user's profile Send private message
ciaranm
Retired Dev
Retired Dev


Joined: 19 Jul 2003
Posts: 1719
Location: In Hiding

PostPosted: Tue Sep 28, 2004 10:37 pm    Post subject: Reply with quote

truekaiser wrote:
ciaranm wrote:
Yes, so 'all' you've got to do is generate two valid tarballs that have the same length and md5sum...

do i detect a hint of sarcasm their?

me? sarcasm? neeeever...
Back to top
View user's profile Send private message
placeholder
Advocate
Advocate


Joined: 07 Feb 2004
Posts: 2500

PostPosted: Tue Sep 28, 2004 11:27 pm    Post subject: Reply with quote

I think that this is another example of the side-effects of illogical paranoia. :wink:
Back to top
View user's profile Send private message
RyanBarnard
n00b
n00b


Joined: 28 Sep 2004
Posts: 6

PostPosted: Wed Sep 29, 2004 12:27 am    Post subject: Reply with quote

Thanks for the answers everybody!
Back to top
View user's profile Send private message
placeholder
Advocate
Advocate


Joined: 07 Feb 2004
Posts: 2500

PostPosted: Wed Sep 29, 2004 12:29 am    Post subject: Reply with quote

RyanBarnard wrote:
Thanks for the answers everybody!

You are welcome. Also, you may now feel safe again knowing that it will take someone with no life to do this. lol
Back to top
View user's profile Send private message
Naughtyus
Guru
Guru


Joined: 14 Jul 2002
Posts: 463
Location: Vancouver, BC

PostPosted: Wed Sep 29, 2004 2:10 am    Post subject: Reply with quote

How is this any worse then other distros which use binaries instead of source? Or how is it worse even from Win32?
Back to top
View user's profile Send private message
KrispyKringle
Retired Dev
Retired Dev


Joined: 28 Sep 2004
Posts: 3

PostPosted: Wed Sep 29, 2004 3:33 am    Post subject: Re: how is this worse for Gentoo Reply with quote

Because most distro's distribute the actual binary or source packages from their own infrastructure/mirrors rather than having install scripts download those packages from third-party, untrusted servers (the way Gentoo ebuilds do), they aren't really vulnerable to this (or rather, to take advantage of it, one must hack a mirror server, which obviates the need to take advantage of this...).

With Gentoo, as outlined in the paper, one needen't bother to hack a RSYNC server, or really even modify an ebuild itself in any way (the paper doesn't say this; the chance of finding a collision for an MD5 in a non-maliciously-engineered ebuild that matches the MD5 for some trojan seems, to me, to be slim enough that we shouldn't bother talking about it, but I don't know the actual probability); one merely needs to be able to generate a trojaned package that has the same MD5 hash as that listed in some trusted ebuild, and then somehow gain control of (or already own--through the social engineering attack outlined in the original post) the server hosting the trusted package, and replace it with the trojaned one.

So yes, there is a specific reason to pick on Gentoo for this.

On the other hand, I personally would judge (this is all subjective, of course; it's moderately difficult to judge the mathematical probability of generating a usable collision, and entirely impossibly to generate any real measure of the probability of an intrusion on an RSYNC server) the risk of having an RSYNC server broken into and the ebuilds changed to be far greater; that risk alone is sufficient motivation to implement GPG-signing on ebuilds, which conveniently could be used as an opportunity to fix this (probably insignificant) risk outlined above.
Back to top
View user's profile Send private message
tomstdenis
n00b
n00b


Joined: 14 Jul 2004
Posts: 11

PostPosted: Wed Sep 29, 2004 3:43 am    Post subject: Reply with quote

ciaranm wrote:
Yes, so 'all' you've got to do is generate two valid tarballs that have the same length and md5sum...


It's actually very easy todo.

say X != Y and md5(X) == md5(Y) (which is possible todo now just not useful cuz they differ by a few specific bits) then...

MD5(X + Q) == MD5(Y + Q)

Which means Q can be any length. Including long enough to include two payloads (one good and one bad).

So yeah, you're attitude is all wrong. The attack isn't super hard to perform. Dan Kaminsky already has perl scripts that perform this very action (dan@doxpara.com)

Tom
Back to top
View user's profile Send private message
tomstdenis
n00b
n00b


Joined: 14 Jul 2004
Posts: 11

PostPosted: Wed Sep 29, 2004 3:44 am    Post subject: Reply with quote

Pwnz3r wrote:
I think that this is another example of the side-effects of illogical paranoia. :wink:


Except that the attack is in fact real.

Tom
Back to top
View user's profile Send private message
tomstdenis
n00b
n00b


Joined: 14 Jul 2004
Posts: 11

PostPosted: Wed Sep 29, 2004 3:44 am    Post subject: Reply with quote

Pwnz3r wrote:
RyanBarnard wrote:
Thanks for the answers everybody!

You are welcome. Also, you may now feel safe again knowing that it will take someone with no life to do this. lol


How so? That's like windows is safe because "people with no lives write viruses".

Tom
Back to top
View user's profile Send private message
tomstdenis
n00b
n00b


Joined: 14 Jul 2004
Posts: 11

PostPosted: Wed Sep 29, 2004 3:48 am    Post subject: Re: how is this worse for Gentoo Reply with quote

KrispyKringle wrote:
On the other hand, I personally would judge (this is all subjective, of course; it's moderately difficult to judge the mathematical probability of generating a usable collision, and entirely impossibly to


Here's the point though. The collision can be in the middle, beginning or end. It can be just some random data for all the attacker concerns.

E.g.

header == shell script
vec1,vec2 == raw binary data
payload == two different binary payloads

header + {vec1|vec2} + payload == myinstaller.sh

If you grep sci.crypt you'll see posts about two files that collide. Heck you could even use THOSE SPECIFIC files. All you need is two vectors such that vec1 != vec2 so that when you go to act upon the payload you work differently depending on what vector is in the specific file.

Tom
Back to top
View user's profile Send private message
tomstdenis
n00b
n00b


Joined: 14 Jul 2004
Posts: 11

PostPosted: Wed Sep 29, 2004 3:49 am    Post subject: Reply with quote

Naughtyus wrote:
How is this any worse then other distros which use binaries instead of source? Or how is it worse even from Win32?


That's not the point.

Tom
Back to top
View user's profile Send private message
KrispyKringle
Retired Dev
Retired Dev


Joined: 28 Sep 2004
Posts: 3

PostPosted: Wed Sep 29, 2004 4:14 am    Post subject: Re: how is this worse for Gentoo Reply with quote

tomstdenis wrote:
All you need is two vectors such that vec1 != vec2 so that when you go to act upon the payload you work differently depending on what vector is in the specific file.


So what you're saying is, someone could write a bit of code that, depending on some hidden flag, behaves either as a very useful utility that lots of people will want to download or install, or, alternatively, acts as a rootkit.

Whoop-de-freakin'-do. Welcome to the big bad world of free software, in which we have to trust or vette code ourselves to make sure it doesn't contain a sneaky backdoor (and, yes, this is a very serious concern; I wholeheartedly agree).

What I don't get is what this has to do with MD5 collisions. Yes, you could make that little flag be some random binary data that you alter, but it'd be a whole freakin' lot easier to make it something else; the concern about detection is if someone looks at the code, and that concern is not mitigated if you have
Code:
if(binarydata == vec2){ do_evil_shit(); }
rather than
Code:
if(time > somedate){ do_evil_shit(); }
. In other words, the severity of this attack vector is completely irrespective of anything to do with MD5 collisions.

The only time MD5 collisions make this any heightened risk, really is a) if someone r00ts a server holding an already-popular tarball and finds a collision between the existing hash and some evil tarball (which is really unlikely) or b) if someone goes to the trouble of writing a utility that many find useful (something many a fame-whoring dev would love to do already), pads it somehow so that it hashes to a hash known to have a collision with that of some evil tarball, submits the ebuild to Gentoo, gets it marked stable and adopted by a wide number of users, and then alters the tarball. Frankly, I don't think your average script-kiddie has the patience for that.

I'm not trying to downplay this, and I give you credit for thinking of such a creative attack, but I'd be far more concerned about a more traditional attack on an RSYNC server, or on a dev's machine, and ebuilds being trojaned.

This conversation was interesting, but it's on its way to being wasted air. Unless I'm misunderstanding you, which is entirely possible. It's getting late. ;)
Back to top
View user's profile Send private message
tomstdenis
n00b
n00b


Joined: 14 Jul 2004
Posts: 11

PostPosted: Wed Sep 29, 2004 4:29 am    Post subject: Re: how is this worse for Gentoo Reply with quote

To a certain extent you are right. I think the important thing to note is that the ebuild maintainer (of which there are many many many many untalented ones... such as the one for cpuspeedy...) can run and test the program just fine without any downsides.

Overall it just shows "yet another way" md5sums as a "security" measure is a bad idea. Gentoo really ought to use GPG signatures, really ought to have better audits/standards for scripts, etc...

I only speak as a person who writes software that makes it way into gentoos portage from time to time. Sadly I'm not a gentoo specific developer...

Tom
Back to top
View user's profile Send private message
KrispyKringle
Retired Dev
Retired Dev


Joined: 28 Sep 2004
Posts: 3

PostPosted: Wed Sep 29, 2004 4:32 am    Post subject: but Reply with quote

But like I said, there is a much more compelling reason for GPG signatures (hacked RSYNC servers), and much easier attack vectors than this (e.g. submitted backdoored code directly). No point in barring the window if you haven't bothered to lock the door.

If it makes you feel any better, I'm fairly certain that a lot of progress has been made regarding GPG signatures, but I only know this from offhand comments, so I can't really tell you.
Back to top
View user's profile Send private message
Display posts from previous:   
Reply to topic    Gentoo Forums Forum Index Gentoo Chat All times are GMT
Goto page 1, 2  Next
Page 1 of 2

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum