OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
Subject: More Helix Code installation problems (go-gnome)
From: Peter W (peterwUSA.NET)
Date: Tue Aug 29 2000 - 09:08:21 CDT


 --Product--

Helix Code Gnome "go-gnome" Web-based installation shell script.

 --Background--

On Aug 19, Alan Cox disclosed problems with Helix Code's install tools.
Helix Code promptly[0] announced fixes for their installer. Presumably
this meant their compiled installer app, because their Web site still
suggests using the Lynx-source-piped-to-sh hack that uses the "go-gnome"
Bourne/awk/gzip script.[1]

 --Problem--

Leaving aside, for now, the issues of using plaintext HTTP to pass data
directly to a shell interpreter,[2] the "go-gnome" shell script[1]
unsafely uses fairly predictable filenames in /tmp (for non-Debian
distributions) and can be used to overwrite any file on the system that
root can clobber with 'cat' if an attacker sets up a symbolic link (it
could be done well in advance of go-gnome being run). I.E., on most boxes,
every file is at risk. Ironically, ftp://ftp.helixcode.com/helix/ suggests
that Helix Code replaced go-gnome at the same time as the new, improved
installer binary announced on Aug 20, yet it suffers the same sort of
problems Helix Code claims to have fixed in the installer binary.[3]

 --Workarounds--

1) Use the manual installation instructions at
   http://www.helixcode.com/desktop/instructions.php3?distribution=manual
   instead of go-gnome. Since Helix Code does not GPG sign their packages,
   you may want to compare checksums with those listed in Helix Code's Aug
   20th announcement.[3] Not that it buys you much, as there doesn't seem
   to be any checksum/signing information embedded in, or protecting, the
   XML package information files. But it's a start.

2) Apply the attached patch to the go-gnome script. This patch
   was developed against the 33308 byte go-gnome script available, as of
   this writing, at ftp://ftp.helixcode.com/helix/ & http://go-gnome.com/
   (e.g. 'lynx -source http://go-gnome.com/ > /safe/path/go-gnome')
   By the time you retrieve and patch the script, you're better off just
   using the manual installation instructions. See workaround #1.

 --Vendor response--

While I've publicly written about this as early as June, I only emailed
Helix Code last week about the problem, explaining the issue, and
providing the patch I have resent here. They have not so much as
acknowledged my messages, let alone discussed the problem.

 --But, isn't Helix Gnome still "Beta" code?--

Usually I'm among the first to gripe about "advisories" exposing problems
in beta code. And Helix Code sometimes suggests their code is beta (the
CDs I've seen are labeled "Preview Two"). But the Helix Code Web site
boasts that their bits are "stable, up-to-date", and, more importantly,
Linux mailing list traffic suggests that a *lot* of folks are trying Helix
Code Gnome. And Nat & co. are getting their share of attention by the US
media. So it's time for Helix Code to start taking security more
seriously.

 --Suggestions--

We've heard many arguments about why Microsoft Windows has historically
been more vulnerable to viruses that Unix-like systems, and some boil down
to the notion that Unix users know better. This argument weakens as Linux
use expands to the non-geek crowd. One of the main goals (and an admirable
one) of Helix Code is to make Unix and Linux desktops more usable. But the
lynx install hack trades security for a 30 second gain in installation
speed. It encourages unsafe practices. If Helix Code's target audience is
as new to computers as their site suggests ('Note that the | character
above is the "pipe" symbol, obtained by pressing SHIFT-\ on most
keyboards'[1]), then these are exactly the folks who should not be taught
such risky parlor tricks.

IMO, Helix Code ought to completely stop providing and advocating the lynx
hack. Tell people how to get the proper installer package. Show them how
to use 'md5sum' to check the package integrity. Put download information
on an https server. Start GPG signing your packages. Etc. Compared to the
effort required to make a first-rate desktop environment (and the recent
Helix Code Gnome apps I've seen do look very nice), the effort required to
improve distribution and installation security is minimal.

Safer systems & safer admins are more valuable than faster installs.

-Peter

[0] Not promptly after Alan emailed them, but after Alan publicly
    disclosed the problems.

[1]
http://www.helixcode.com/desktop/instructions.php3?distribution=gognome

[2] There are many points where the `lynx -source http://go-gnome.com/`
    fetch could be subverted. An https:// server would at least
    authenticate the identity of "go-gnome.com" but, no. <sigh>

[3]trna.helixcode.com">http://www.securityfocus.com/templates/archive.pike?list=1&date=2000-08-15&msg=200008200739.DAA25668trna.helixcode.com