View previous topic :: View next topic |
Author |
Message |
RyanBarnard n00b
Joined: 28 Sep 2004 Posts: 6
|
Posted: Tue Sep 28, 2004 7:55 pm Post subject: Gentoo Linux Insecurities |
|
|
I would like to direct peoples attention to a post by Tom St. Denis in the sci.crypt newsgroup. The link to his post is: http://groups.google.com/groups?dq=&hl=en&lr=&ie=UTF-8&group=sci.crypt&selm=5tednRIQYqHA-sTcRVn-gQ%40rogers.com
And I will paste his post into this message at the bottom.
Is this true? Does the Gentoo ports system need some rethinking? I've been running Gentoo for a few months now on multiple machines, and I definitely don't want to have to worry about possible trojan on my system.
Ryan
-------------------------------------------------------
From: Tom St Denis (tomstdenis@iahu.ca)
Subject: Gentoo Linux insecurities...
Newsgroups: sci.crypt
Date: 2004-09-28 06:30:06 PST
This note is mostly based off of research by Dan Kaminsky [so he should
get the credit]. I just turned it into an attack on Gentoo.
If you look at the collisions in MD5 you'd think so what. Just a few
bits in odd places. Can't forge signatures. But you can [as Dan
pointed out to me] turn this into a real attack. In particular you can
really hurt Gentoo with it.
Some basics... if x != y and md5(x) == md5(y) then md5(x+q) == md5(y+q).
Simple right?
Ok now onto gentoo. Gentoo is a "ports" system which uses ebuild
scripts to download, configure and install [source based] packages. It
checks the md5sum of files to make sure the downloads were correct.
Here's the trick though.
Suppose you have two files which are made up of
vec1, vec2 == two payloads with the difference that causes the collision
header == file header + shell script to do work
payload == encoded payload. Actually it has two seperate payloads
inside it. One encoded with sha1(vec1) as the key for AES, the other
with sha1(vec2) as the key. You can store a simple MAC so you can tell
them apart at runtime.
Now you make two ebuild packages
package1 = header || vec1 || payload
package2 = header || vec2 || payload
Now you hand off package1 to a gentoo developer. It uses the sha1 of
the vec finds the "legit" payload [by testing macs] and installs that.
Gentoo guy likes your package and submits it. Gentoo user downloads
package. Accept now you swapped package1 for package2 on your site.
They have the same MD5 sum so you don't know any different. Now you
just ran/installed a trojaned program as root on gentoo.
Really what they should do is GPG sign the ebuild scripts and their
packages.
E.g. Mike Frysinger is the maintainer for LibTomCrypt in portage. He
should as part of his roll test out the package then sign the .bz2 and
place that in the ebuild. His GPG key would be signed by a master key
which makes the Gentoo installed ISOs [e.g. web-o-trust].
Anyways this is some scary stuff since I use Gentoo on all of my boxes.
I always knew that md5sum based way was bad but now it's actually very
practical to attack Gentoo users.
Tom |
|
Back to top |
|
|
pjp Administrator
Joined: 16 Apr 2002 Posts: 20054
|
Posted: Tue Sep 28, 2004 7:57 pm Post subject: |
|
|
Moved from Networking & Security. _________________ Quis separabit? Quo animo? |
|
Back to top |
|
|
truekaiser l33t
Joined: 05 Mar 2004 Posts: 801
|
Posted: Tue Sep 28, 2004 8:03 pm Post subject: |
|
|
the ebuild will be hard masked unstable preventing all the casual installs. only the ones who are actualy williing to test the package will download it, find the trojen and thus the ebuild will be removed before it does widespread harm. |
|
Back to top |
|
|
richk449 Guru
Joined: 24 Oct 2003 Posts: 345
|
Posted: Tue Sep 28, 2004 8:27 pm Post subject: |
|
|
The file could be changed at any time - perhaps after the package has become "stable". The exploit is simply a way to create two packages with different contents but the same MD5. It seems dangerous to me, but I am no expert. |
|
Back to top |
|
|
thrasher6670 Apprentice
Joined: 04 Aug 2003 Posts: 269 Location: London, Ontario
|
Posted: Tue Sep 28, 2004 8:33 pm Post subject: |
|
|
It would be a little difficult for anyone to do this
First they would have to create a "script" that does the malicious cod ... lets go with "rm -Rf /" to make it easy, this person then needs to make a version of the code that does nothing... say a script that contains nothing but commented lines... and somehow these 2 scripts need to match md5s... It _Could_ be done, but it would take a damn while for someone to find it, years infact.
and as far as GPG digning the package... I think that would be a little difficult to get done as enough of the ebuilds download directly from the website of the program and not a portage mirror.
I'm much more concerned that someone will hack an rsync mirror and injects a little malicious ebuild into the mix, it seems much more plausable _________________ Gentoo-Portage.com - Where the portage meets the web
Gentoo Wiki |
|
Back to top |
|
|
richk449 Guru
Joined: 24 Oct 2003 Posts: 345
|
Posted: Tue Sep 28, 2004 8:46 pm Post subject: |
|
|
thrasher6670 wrote: | First they would have to create a "script" that does the malicious cod ... lets go with "rm -Rf /" to make it easy, this person then needs to make a version of the code that does nothing... say a script that contains nothing but commented lines... and somehow these 2 scripts need to match md5s... It _Could_ be done, but it would take a damn while for someone to find it, years infact. |
My understanding is that a method had recently been introduced to produce MD5 collisions in a relatively short time, at least for one specific case: If you can modify two data sets, it makes it relatively easy to "tweak" them so that they will collide. In general, this isn't that useful, since an attacker doesn't have access to the original data sets. In the case described above though, it is very useful.
http://www.freedom-to-tinker.com/archives/000664.html |
|
Back to top |
|
|
spb Retired Dev
Joined: 02 Jan 2004 Posts: 2135 Location: Cambridge, UK
|
Posted: Tue Sep 28, 2004 9:25 pm Post subject: |
|
|
Yes, this would be possible, but would require some non-trivial effort. It would also require the person who wants to carry out the attack to be the maintainer of a relatively high-quality software package. Now, that's not impossible, but it's unlikely. It's still a risk though, which is why support for GPG signing of ebuilds and distfiles is in development at the moment. |
|
Back to top |
|
|
chunderbunny Veteran
Joined: 31 May 2004 Posts: 1281 Location: 51°24'27" N, 0°57'15" W
|
Posted: Tue Sep 28, 2004 9:29 pm Post subject: |
|
|
It is inevitable that any hashing algorithm will one day be rendered obsolete by new techniques and technology which can easily defeat the algorithm. In the case MD5 sums of portage ebuilds and source code I think we are currently safe. At the moment it is only possible to generate two file with the same MD5 hash if the difference between the files is very small (I'm talking about 4 bytes.) The damage could do with 4 bytes of code is very small.
However, this will not always be the case. It would be prudent of the Gentoo team to start thinking about how we can switch to a better hashing algorithm now, rather than when MD5 exploits are far more widespread. |
|
Back to top |
|
|
Carlo Developer
Joined: 12 Aug 2002 Posts: 3356
|
Posted: Tue Sep 28, 2004 9:34 pm Post subject: |
|
|
That's correct and likely there will be another hash added beside md5 - additional to the efforts to introduce a gpg signing infrastructure. _________________ Please make sure that you have searched for an answer to a question after reading all the relevant docs. |
|
Back to top |
|
|
ciaranm Retired Dev
Joined: 19 Jul 2003 Posts: 1719 Location: In Hiding
|
Posted: Tue Sep 28, 2004 9:46 pm Post subject: |
|
|
Yes, so 'all' you've got to do is generate two valid tarballs that have the same length and md5sum... |
|
Back to top |
|
|
truekaiser l33t
Joined: 05 Mar 2004 Posts: 801
|
Posted: Tue Sep 28, 2004 10:29 pm Post subject: |
|
|
ciaranm wrote: | Yes, so 'all' you've got to do is generate two valid tarballs that have the same length and md5sum... |
do i detect a hint of sarcasm their? |
|
Back to top |
|
|
ciaranm Retired Dev
Joined: 19 Jul 2003 Posts: 1719 Location: In Hiding
|
Posted: Tue Sep 28, 2004 10:37 pm Post subject: |
|
|
truekaiser wrote: | ciaranm wrote: | Yes, so 'all' you've got to do is generate two valid tarballs that have the same length and md5sum... |
do i detect a hint of sarcasm their? |
me? sarcasm? neeeever... |
|
Back to top |
|
|
placeholder Advocate
Joined: 07 Feb 2004 Posts: 2500
|
Posted: Tue Sep 28, 2004 11:27 pm Post subject: |
|
|
I think that this is another example of the side-effects of illogical paranoia. |
|
Back to top |
|
|
RyanBarnard n00b
Joined: 28 Sep 2004 Posts: 6
|
Posted: Wed Sep 29, 2004 12:27 am Post subject: |
|
|
Thanks for the answers everybody! |
|
Back to top |
|
|
placeholder Advocate
Joined: 07 Feb 2004 Posts: 2500
|
Posted: Wed Sep 29, 2004 12:29 am Post subject: |
|
|
RyanBarnard wrote: | Thanks for the answers everybody! |
You are welcome. Also, you may now feel safe again knowing that it will take someone with no life to do this. lol |
|
Back to top |
|
|
Naughtyus Guru
Joined: 14 Jul 2002 Posts: 463 Location: Vancouver, BC
|
Posted: Wed Sep 29, 2004 2:10 am Post subject: |
|
|
How is this any worse then other distros which use binaries instead of source? Or how is it worse even from Win32? |
|
Back to top |
|
|
KrispyKringle Retired Dev
Joined: 28 Sep 2004 Posts: 3
|
Posted: Wed Sep 29, 2004 3:33 am Post subject: Re: how is this worse for Gentoo |
|
|
Because most distro's distribute the actual binary or source packages from their own infrastructure/mirrors rather than having install scripts download those packages from third-party, untrusted servers (the way Gentoo ebuilds do), they aren't really vulnerable to this (or rather, to take advantage of it, one must hack a mirror server, which obviates the need to take advantage of this...).
With Gentoo, as outlined in the paper, one needen't bother to hack a RSYNC server, or really even modify an ebuild itself in any way (the paper doesn't say this; the chance of finding a collision for an MD5 in a non-maliciously-engineered ebuild that matches the MD5 for some trojan seems, to me, to be slim enough that we shouldn't bother talking about it, but I don't know the actual probability); one merely needs to be able to generate a trojaned package that has the same MD5 hash as that listed in some trusted ebuild, and then somehow gain control of (or already own--through the social engineering attack outlined in the original post) the server hosting the trusted package, and replace it with the trojaned one.
So yes, there is a specific reason to pick on Gentoo for this.
On the other hand, I personally would judge (this is all subjective, of course; it's moderately difficult to judge the mathematical probability of generating a usable collision, and entirely impossibly to generate any real measure of the probability of an intrusion on an RSYNC server) the risk of having an RSYNC server broken into and the ebuilds changed to be far greater; that risk alone is sufficient motivation to implement GPG-signing on ebuilds, which conveniently could be used as an opportunity to fix this (probably insignificant) risk outlined above. |
|
Back to top |
|
|
tomstdenis n00b
Joined: 14 Jul 2004 Posts: 11
|
Posted: Wed Sep 29, 2004 3:43 am Post subject: |
|
|
ciaranm wrote: | Yes, so 'all' you've got to do is generate two valid tarballs that have the same length and md5sum... |
It's actually very easy todo.
say X != Y and md5(X) == md5(Y) (which is possible todo now just not useful cuz they differ by a few specific bits) then...
MD5(X + Q) == MD5(Y + Q)
Which means Q can be any length. Including long enough to include two payloads (one good and one bad).
So yeah, you're attitude is all wrong. The attack isn't super hard to perform. Dan Kaminsky already has perl scripts that perform this very action (dan@doxpara.com)
Tom |
|
Back to top |
|
|
tomstdenis n00b
Joined: 14 Jul 2004 Posts: 11
|
Posted: Wed Sep 29, 2004 3:44 am Post subject: |
|
|
Pwnz3r wrote: | I think that this is another example of the side-effects of illogical paranoia. |
Except that the attack is in fact real.
Tom |
|
Back to top |
|
|
tomstdenis n00b
Joined: 14 Jul 2004 Posts: 11
|
Posted: Wed Sep 29, 2004 3:44 am Post subject: |
|
|
Pwnz3r wrote: | RyanBarnard wrote: | Thanks for the answers everybody! |
You are welcome. Also, you may now feel safe again knowing that it will take someone with no life to do this. lol |
How so? That's like windows is safe because "people with no lives write viruses".
Tom |
|
Back to top |
|
|
tomstdenis n00b
Joined: 14 Jul 2004 Posts: 11
|
Posted: Wed Sep 29, 2004 3:48 am Post subject: Re: how is this worse for Gentoo |
|
|
KrispyKringle wrote: | On the other hand, I personally would judge (this is all subjective, of course; it's moderately difficult to judge the mathematical probability of generating a usable collision, and entirely impossibly to |
Here's the point though. The collision can be in the middle, beginning or end. It can be just some random data for all the attacker concerns.
E.g.
header == shell script
vec1,vec2 == raw binary data
payload == two different binary payloads
header + {vec1|vec2} + payload == myinstaller.sh
If you grep sci.crypt you'll see posts about two files that collide. Heck you could even use THOSE SPECIFIC files. All you need is two vectors such that vec1 != vec2 so that when you go to act upon the payload you work differently depending on what vector is in the specific file.
Tom |
|
Back to top |
|
|
tomstdenis n00b
Joined: 14 Jul 2004 Posts: 11
|
Posted: Wed Sep 29, 2004 3:49 am Post subject: |
|
|
Naughtyus wrote: | How is this any worse then other distros which use binaries instead of source? Or how is it worse even from Win32? |
That's not the point.
Tom |
|
Back to top |
|
|
KrispyKringle Retired Dev
Joined: 28 Sep 2004 Posts: 3
|
Posted: Wed Sep 29, 2004 4:14 am Post subject: Re: how is this worse for Gentoo |
|
|
tomstdenis wrote: | All you need is two vectors such that vec1 != vec2 so that when you go to act upon the payload you work differently depending on what vector is in the specific file.
|
So what you're saying is, someone could write a bit of code that, depending on some hidden flag, behaves either as a very useful utility that lots of people will want to download or install, or, alternatively, acts as a rootkit.
Whoop-de-freakin'-do. Welcome to the big bad world of free software, in which we have to trust or vette code ourselves to make sure it doesn't contain a sneaky backdoor (and, yes, this is a very serious concern; I wholeheartedly agree).
What I don't get is what this has to do with MD5 collisions. Yes, you could make that little flag be some random binary data that you alter, but it'd be a whole freakin' lot easier to make it something else; the concern about detection is if someone looks at the code, and that concern is not mitigated if you have Code: | if(binarydata == vec2){ do_evil_shit(); } | rather than Code: | if(time > somedate){ do_evil_shit(); } | . In other words, the severity of this attack vector is completely irrespective of anything to do with MD5 collisions.
The only time MD5 collisions make this any heightened risk, really is a) if someone r00ts a server holding an already-popular tarball and finds a collision between the existing hash and some evil tarball (which is really unlikely) or b) if someone goes to the trouble of writing a utility that many find useful (something many a fame-whoring dev would love to do already), pads it somehow so that it hashes to a hash known to have a collision with that of some evil tarball, submits the ebuild to Gentoo, gets it marked stable and adopted by a wide number of users, and then alters the tarball. Frankly, I don't think your average script-kiddie has the patience for that.
I'm not trying to downplay this, and I give you credit for thinking of such a creative attack, but I'd be far more concerned about a more traditional attack on an RSYNC server, or on a dev's machine, and ebuilds being trojaned.
This conversation was interesting, but it's on its way to being wasted air. Unless I'm misunderstanding you, which is entirely possible. It's getting late. ;) |
|
Back to top |
|
|
tomstdenis n00b
Joined: 14 Jul 2004 Posts: 11
|
Posted: Wed Sep 29, 2004 4:29 am Post subject: Re: how is this worse for Gentoo |
|
|
To a certain extent you are right. I think the important thing to note is that the ebuild maintainer (of which there are many many many many untalented ones... such as the one for cpuspeedy...) can run and test the program just fine without any downsides.
Overall it just shows "yet another way" md5sums as a "security" measure is a bad idea. Gentoo really ought to use GPG signatures, really ought to have better audits/standards for scripts, etc...
I only speak as a person who writes software that makes it way into gentoos portage from time to time. Sadly I'm not a gentoo specific developer...
Tom |
|
Back to top |
|
|
KrispyKringle Retired Dev
Joined: 28 Sep 2004 Posts: 3
|
Posted: Wed Sep 29, 2004 4:32 am Post subject: but |
|
|
But like I said, there is a much more compelling reason for GPG signatures (hacked RSYNC servers), and much easier attack vectors than this (e.g. submitted backdoored code directly). No point in barring the window if you haven't bothered to lock the door.
If it makes you feel any better, I'm fairly certain that a lot of progress has been made regarding GPG signatures, but I only know this from offhand comments, so I can't really tell you. |
|
Back to top |
|
|
|