Study: Attacks on package managers
Study: Attacks on package managers
Posted Jul 15, 2008 5:55 UTC (Tue) by afalko (guest, #37028)In reply to: Study: Attacks on package managers by msmeissn
Parent article: Study: Attacks on package managers
All files downloaded from Gentoo have SHA1 and SHA256 sum associated with them. If a file does not match the file the developer was using, the user will receive a digest error and the package manger will not continue. Does any one see any loopholes with this scheme?
Posted Jul 15, 2008 11:17 UTC (Tue)
by Zenith (guest, #24899)
[Link]
Quoting rgmoore further up in the discussion:Study: Attacks on package managers
Someone on Slashdot pointed out a much nastier potential attack. The process is simple:
1. Set up a mirror.
2. Wait for the distro you're mirroring to send out a security update for a package with a remotely exploitable hole.
3. Root the box of everybody who starts to download the updated package.
The mirror can look completely legitimate, because it just passively harvests the IDs of vulnerable computers. You probably want to pass off the job of rooting vulnerable computers to a separate botnet to keep your mirror looking squeaky clean.
So yes, a sort of loophole, but not one you can do much about I would think, besides from the whole "trusted mirrors only" scheme mentioned here in the discussion.
Posted Jul 15, 2008 11:46 UTC (Tue)
by job (guest, #670)
[Link] (1 responses)
Posted Jul 17, 2008 8:08 UTC (Thu)
by hickinbottoms (subscriber, #14798)
[Link]
Study: Attacks on package managers
Are all the ebuilds cryptographically signed now? Last time I checked they were not. So the
reason you needn't worry about the attacks described in the article is that the verifications
aren't there in the first place.
Study: Attacks on package managers
No, they're not signed. This means the SHA1/MD5 checks only protect you from corruption during
the download (or subsequently on disk, before the package has been built).
You can prove this yourself - you can modify the downloaded package and regenerate those
hashes with a "ebuild ... digest" command, so there's no secret to it.
Portage is, I believe, quite vulnerable to compromised mirrors at present. I believe the
groundwork to GPG-signing (not sure if that covers the package only, or whether it includes
the metadata) has been done some time ago, but it's not progressed to the point where that's
utilised yet.