> Dear GnuPG devs, I’m not a GnuPG dev but I’ll take a stab:
> I wanted to point out a potential security concern about gpg-agent. NOTABUG / WONTFIX. The instant you execute compromised code, you enter a catastrophic and unrecoverable game over state. > In my opinion there should be additional checks, e. g. a restriction of > allowed pinentry paths (e. g. only /usr/bin and /usr/local/bin), > ownership checks (e. g. only allow binaries owned by root) or > warnings, when a non-standard pinentry-program setting is used. What do > you think? Werner has already explained why your proposed fix won’t work. I think it’s significantly worse than “it won’t work”. I think it’s, “it won’t work even against the toy attacker it’s designed for." If I were toy attacker, my malware would deploy its own gpg-agent which lacked these checks, edit your .profile to add ‘alias gpg-agent=$HOME/.hidden/gpg-agent’, kill the existing gpg-agent, and start the new one. Wham, your ‘fix’ is completely bypassed in a persistent way. As Werner says, game over. I’m actually lying through my teeth there, because if I’m the malware author I would not be a toy threat. I wouldn’t deploy on your machine without a local privilege escalation, at which point I can replace system binaries. The GnuPG suite gets subverted, as does AppArmor/selinux, your syslog gets compromised, my own malicious SSL cert goes into your system cache, multipath persistence gets enabled, beacons set, the whole nine yards. Yes, there’s a lot of mayhem you can do from an unprivileged account. But the real mayhem starts with an LPE. This is why among CNO professionals the overwhelming opinion is to not even attempt for unprivileged access unless you have an LPE and a tailored exploitation plan that completely specifies actions on target: initial access -> LPE -> counterforensics -> persistence -> beaconing and future access -> forensics -> data exfiltration -> lateral exploration and network discovery -> reconnaissance reporting -> counterforensics -> exit. Different shops may order exploitation events differently, but that basic progression would be recognized as being a pretty standard exploitation plan. Please read either the Lockheed killchain paper or the Pols killchain paper: https://www.unifiedkillchain.com/assets/The-Unified-Kill-Chain.pdf Let that motivate your future thinking on how best to defend from attacks.
signature.asc
Description: Message signed with OpenPGP
_______________________________________________ Gnupg-users mailing list [email protected] https://lists.gnupg.org/mailman/listinfo/gnupg-users
