OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
From: Andrew Griffiths (andrewg_at_d2.net.au)
Date: Thu Aug 29 2002 - 06:18:11 CDT

  • Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

    -----BEGIN PGP SIGNED MESSAGE-----
    Hash: SHA1

    Product: rpm
    Version tested: 4.0.4

    Description
    - -----------

            rpm is a powerful Package Manager, which can be used to
    ~ build, install, query, verify, update, and erase individ-
    ~ ual software packages. A package consists of an archive
    ~ of files and meta-data used to install and erase the
    ~ archive files. The meta-data includes helper scripts, file
    ~ attributes, and descriptive information about the package.
    ~ Packages come in two varieties: binary packages, used to
    ~ encapsulate software to be installed, and source packages,
    ~ containing the source code and recipe necessary to produce
    ~ binary packages.

    Problem
    - -------

            The user can be tricked by thinking that the package came from a trusted
    source if the user either has gpg setup to automatically fetch keys from a
    keyserver (and the attacker knows, or spams to a majority) or the attacker
    initiates a conversation with the victim and the victim puts the attackers
    public key in the same gpg database which does the verification of the
    signed
    rpm package.

    Example
    - -------

    [andrewgblackhole rpmzap]$ wget
    ftp://ftp.planetmirror.com/pub/redhat/redhat-7.3/en/os/i386/RedHat/RPMS/xloadimage-4.1-21.i386.rpm
    - --22:18:59--
    ftp://ftp.planetmirror.com/pub/redhat/redhat-7.3/en/os/i386/RedHat/RPMS/xloadimage-4.1-21.i386.rpm
    ~ => `xloadimage-4.1-21.i386.rpm'
    Connecting to 127.0.0.1:3128... connected!
    Proxy request sent, awaiting response... 200 OK
    Length: 141,295 [audio/x-pn-realaudio-plugin]

    ~ 0K -> .......... .......... .......... .......... .......... [ 36%]
    ~ 50K -> .......... .......... .......... .......... .......... [ 72%]
    ~ 100K -> .......... .......... .......... ....... [100%]

    22:18:59 (6.74 MB/s) - `xloadimage-4.1-21.i386.rpm' saved [141295/141295]

    (
    Here, I have done a squid redirection to insert the trojaned file.

    We verify the downloaded RPM's as listed on RedHats GPG as of
    Thu Aug 22 10:59:09 EST 2002, with rpm --checksig, or its equivalent,
    rpm -K.

    http://www.redhat.com/solutions/security/news/publickey.html
    http://www.redhat.com/solutions/security/news/betapublickey.html

    Both listed the way to verify an rpm package, was to do rpm --checksig.

    Also, a lot of other distros recommend --checksig to verify. Some
    documentation needs to be updated.

    )

    [andrewgblackhole rpmzap]$ rpm -K xloadimage-4.1-21.i386.rpm
    xloadimage-4.1-21.i386.rpm: md5 gpg OK

    (Everything looks fine... but..)

    [andrewgblackhole rpmzap]$ rpm -K xloadimage-4.1-21.i386.rpm -vv
    D: Expected size: 141295 = lead(96)+sigs(248)+pad(0)+data(140951)
    D: Actual size: 141295
    xloadimage-4.1-21.i386.rpm:
    MD5 sum OK: 2bd4c89da85d38f279974d3707e721e3
    gpg: Signature made Mon 19 Aug 2002 20:07:22 EST using DSA key ID 5A98A001
    gpg: Good signature from Andrew Griffiths (...) <nullptrtasmail.com>"
    [andrewgblackhole rpmzap]$

    (Not signed by RedHat... but the victim most likely doesn't think to
    check _who_
    signed it.)

    Fix(es)
    - -------

    - - Seperate gpg directory for GPG.
            For your ${HOME}, we'd do something like:
                    mkdir .gpg-rpm
                    chmod 700 .gpg-rpm
                    rpm --import --homedir=${HOME}/.gpg-rpm RPM-GPG-KEY

            now we edit ${HOME}/.rpmmacros, and add/modify
                    %_signature gpg
                    %_gpg_path _your_home_dir_here/.gpg-rpm

            This way you can have seperate verification thingers, and rpm will
            automatically check the new setup.

    As such, the fix is to wait until RPM 4.1, which fixes the problem.

    Workarounds
    - -----------

    - - Maybe parsing gpg's output and printing out signing keyname by default.

    - - Whenever you check the packages, use say --checksig -vv to get the
    output
    from gpg.

    Notes
    - -----

    - - RedHat Network isn't vulnerable to this issue, as it does the setup
    like the
    above.

    - - Future versions of RPM (4.1) will not be using gpg externally, but
    will be maintaining the keys to verify internally.

    - - Following notification to Red Hat, they updated their verification
    instructions to include the use of the -v flag.

    - - Following notification to OpenPKG, they updated their security page, and
    their security advisory page.

    - - SuSE recommends to verify with rpm -v --checksig file.rpm. They were not
    contacted.

    - - Caldera didn't appear to offer a gpg signature to verify the rpm's. They
    didn't have a public key to encrypt stuff to them.

    Greets
    - ------

    zen-parse - http://mp3.com/cosv
    jaguar
    remedy
    sharrad - http://go.to/innerdreams
    -----BEGIN PGP SIGNATURE-----
    Version: GnuPG v1.0.6 (GNU/Linux)
    Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

    iEYEARECAAYFAj1uAvIACgkQoAeEnVqYoAH4vwCeLbmG8/HNKOtLpv+zmxIYPiJg
    EoAAoKxgfHlAwIfMpgBFUI1GAfG+Zggm
    =q3lj
    -----END PGP SIGNATURE-----

    _______________________________________________
    Full-Disclosure - We believe in it.
    Charter: http://lists.netsys.com/full-disclosure-charter.html