interesting. =jay
Trust Issues with RH and Debian Package Managers ------------------------------------------------------------------------ SUMMARY "Magic Lantern" supposedly allows an FBI agent to access a computer without requiring any physical access to it. The exact method is not yet known, but rumors talk about some hacking work done while the program "installs" itself on the target machine. The following is a proposed method on how this might work, and is brought to the public's view in order to make it clear how easy it is currently to create such a program. DETAILS To test the feasibility of such a scheme you need to set up a stock Debian 2.2r3 box, and a stock Red Hat 7.2 box. Both should be based on the installation CDs produced at least a few months ago, so they will both be vulnerable to the wu-ftpd exploit and would need to be upgraded for production use. The goal is simple: To play the part of the FBI, and trick our machines into accepting a trojaned version of the new wu-ftpd package. First, we set up a transparent proxy on our gateway box, which is used to split our cable modem connection amongst our connecting machines. We used a program called < http://squirm.foote.com.au/ > "squirm" to rewrite URLs ending in .deb or .rpm so that they would be redirected to the local web server, from which the trojaned .deb and .rpm files would be served. Second, we produced trojaned .deb and .rpm files. The .deb file was trivial to modify, as only a checksum stood between a valid hacked version and us. The .rpm was a bit more difficult, because RedHat signs their packages with a PGP key. However, once we rebuilt the package and did not sign it with PGP, we had a fixed package. Third, we went to the Debian box and typed 'apt-get update ; apt-get upgrade'. After a few routine prompts, none of which triggered security alerts, the box was rooted by our "custom" package. Fourth, we went to the Redhat box and did an 'rpm -U' pointed at the updates.redhat.com server. We got the trojaned RPM back, with no warnings or prompt to warn that it hasn't been signed. In addition, we had an ftp server with a new backdoor up in a matter of minutes. To summarize, the FBI can easily set up a transparent proxy between you and the Internet, and trick your OS into installing malware. You are damned if you do and you are damned if you don't, because you need to download the wuftpd-of-the-week sometime. As a matter of comparison, our Windows 2000 box has no such vulnerability. The first time we went to Windows Update, we checked the box that said, "Always trust content from Microsoft Corporation." Therefore, only Microsoft's real certificate will be accepted by our machine. Even if the FBI forces Verisign to issue an impostor certificate, it will be detected and thwarted. Linux distributions need to band together and find a trusted individual who will be responsible for signing all packages and verifying that they do not contain backdoors. That is the only way to solve this issue. This is a serious issue for Linux users and we believe it should have been addressed years ago. That said, now is not too late and definitely not too early. We look forward to seeing this feature in all future releases of the major Linux distributions. ADDITIONAL INFORMATION The information has been provided by <mailto:[EMAIL PROTECTED]> dfeldman. ======================================== This bulletin is sent to members of the SecuriTeam mailing list. To unsubscribe from the list, send mail with an empty subject line and body to: [EMAIL PROTECTED] In order to subscribe to the mailing list, simply forward this email to: [EMAIL PROTECTED] ==================== ==================== DISCLAIMER: The information in this bulletin is provided "AS IS" without warranty of any kind. In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages. _______________________________________________ Bits mailing list [EMAIL PROTECTED] http://www.sugoi.org/mailman/listinfo/bits
