So, this is an exploit then ? Or just a broken package ? Some people would simply not understand that,your very techy :P Anyhow, making a small .sh file for the bug would be cool.. if there is a bug to be had. cheers
On 22 September 2011 22:03, Georgi Guninski <[email protected]> wrote: > # grep -rniI 'apt-key' /etc 2>/dev/null > /etc/cron.daily/apt:444: if eval apt-key net-update $XSTDERR; then > /etc/cron.daily/apt:445: debug_echo "apt-key net-update (success)" > /etc/cron.daily/apt:447: debug_echo "apt-key net-update (failure)" > > i suppose this effectively breaks vanilla "apt-get update" after cron is > helped by MITM. > > the certs were verified to work after installed by apt-key net-update. > > -- > joro > > On Thu, Sep 22, 2011 at 12:07:08PM +0300, Georgi Guninski wrote: > > owning ubuntu apt-key net-update (maybe apt-get update related) > > > > in ubuntu 10.04 in /usr/bin/apt-key in > add_keys_with_verify_against_master_keyring() > > > > if $GPG_CMD --keyring $ADD_KEYRING --list-sigs --with-colons $add_key | > grep ^sig | cut -d: -f5 | grep -q $master_key; then > > $GPG_CMD --quiet --batch --keyring $ADD_KEYRING --export > $add_key | $GPG --import > > ADDED=1 > > > > > > to my knowledge --list-sigs doesn't do crypto verification, just looks > for well formedness. > > > > it is trivial to generate a gpg key with key ID == $master_key: > > set gpg version to 3, set the lowest 64 bits of the RSA $n$ to the key > ID, generate random high bits until one can trial factor $n$ (numerology is > on your side), this is it. > > > > to reproduce: > > attached is ubuntu-archive-keyring.gpg. > > put it on http://A/ubuntu-archive-keyring.gpg > > make a copy of apt-key and set: > > ARCHIVE_KEYRING_URI=http://A/ubuntu-archive-keyring.gpg > > ^ this emulates MITM. > > do |./apt-key-new net-update| and check for new keys with |apt-key list| > > > > this might or might not be related with |apt-get update|. > > > > 10x. > > > > -- > > joro > > > > _______________________________________________ > > Full-Disclosure - We believe in it. > > Charter: http://lists.grok.org.uk/full-disclosure-charter.html > > Hosted and sponsored by Secunia - http://secunia.com/ > > _______________________________________________ > Full-Disclosure - We believe in it. > Charter: http://lists.grok.org.uk/full-disclosure-charter.html > Hosted and sponsored by Secunia - http://secunia.com/ >
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
