Bug#442180: d-i preseed method allows for remote cmd exec. in combination with DNS hijacking
severity 442180 wishlist retitle 442180 make the network mode work securely thanks It should be noted that this bug applies only to the customized build used in http://goodbye-microsoft.com/, and not to the version of win32-loader in Debian (where network shouldn't be used at all). Nevertheless I'd like to use the BTS facilities to track this kind of things, since it still applies to the source code of win32-loader even if not used in debian CDs. On Thu, Sep 13, 2007 at 08:24:41PM -0400, Joey Hess wrote: Moritz Naumann wrote: The default boot option used by this package contains the following: preseed/url=http://goodbye-microsoft.com/runtime/preseed.cfg There is a compile time option (NETWORK_BASE_URL) that can enable this, and maybe it's enabled on the goodbye-microsoft.com version (didn't check), but that is not a Debian website. The option is not used in the version of win32-loader included in Debian. BTW, if you can use DNS hijacking to sppof http://goodbye-microsoft.com/runtime/preseed.cfg , it may be easier to simply spoof http://goodbye-microsoft.com/pub/debian.exe . Then you can use a platform that is demonstrabably suburb at running virii and botnets. :-) (d-i preseeding does support specifying the md5sums of preseed files.) As Joey pointed out, the whole process is inherently insecure. It should come at no surprise, you can see that as soon as you see http:// instead of https:// and Windows starts complaining about unsigned executables. I would welcome a complete [1] solution to make this process secure (well, as much as it can be, since you can't escape trusting Microsoft code), provided that the solution doesn't involve me paying $1000/year for an SSL website+code certificate. This can either mean SPI sponsorship, a yearly donation or (PREFERRABLY) a patch for win32-loader to use a saner [2] scheme such as gnupg. [1] as it stands now, fixing specific problems without getting the whole trust chain to work is rather pointless [2] http://kitenet.net/~joey/joeyca/ -- Robert Millan GPLv2 I know my rights; I want my phone call! DRM What use is a phone call, if you are unable to speak? (as seen on /.) -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Bug#442180: d-i preseed method allows for remote cmd exec. in combination with DNS hijacking
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 Package: win32-loader Version: 0.6.0~pre3 Severity: critical Tags: security Justification: root security hole The default boot option used by this package contains the following: preseed/url=http://goodbye-microsoft.com/runtime/preseed.cfg As seen when inspecting the document available at this URL this boot option is used to run a given command by the time of the installation of Debian GNU/Linux. The command to be run (as root) is retrieved from the document available at the given URL. If an attcker is able to hijack or otherwise influence the DNS server used when Debian GNU/Linux is installed using win32-loader, she may be able to run any command that is available on the system to be installed as root by redirecting requests to a different web server which provides a given arbitrary command at the same URL. On a side note, a default setting making users take part in a statistic analysis and gathering users' requests in a single location can be considered a privacy risk or issue. (This is the same for suggesting to install Firefox with the Google toolbar but that's a complete different story.) I'm looking forward to see this software mature (even further). Moritz -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.6 (GNU/Linux) iD8DBQFG6aTmn6GkvSd/BgwRCk7RAJ0etU8gzz8Pg68WpPFiEzz39XkrEACfSm9Q GNLRj5k8J4PDtuP+vttJ/hg= =0zuX -END PGP SIGNATURE- -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Bug#442180: d-i preseed method allows for remote cmd exec. in combination with DNS hijacking
Moritz Naumann [EMAIL PROTECTED] writes: If an attcker is able to hijack or otherwise influence the DNS server used when Debian GNU/Linux is installed using win32-loader, she may be able to run any command that is available on the system to be installed as root by redirecting requests to a different web server which provides a given arbitrary command at the same URL. One possible way for fixing it is to use md5sum of the preseeding file and ask d-i to check it. -- O T A V I OS A L V A D O R - E-mail: [EMAIL PROTECTED] UIN: 5906116 GNU/Linux User: 239058 GPG ID: 49A5F855 Home Page: http://otavio.ossystems.com.br - Microsoft sells you Windows ... Linux gives you the whole house. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Bug#442180: d-i preseed method allows for remote cmd exec. in combination with DNS hijacking
sha*sum please pgpGuYFTGhR7P.pgp Description: PGP signature
Bug#442180: d-i preseed method allows for remote cmd exec. in combination with DNS hijacking
On Fri, Sep 14, 2007 at 01:05:24AM +0200, Holger Levsen wrote: sha*sum please Proper signature. rsa-sha256 or so. Bastian -- I've already got a female to worry about. Her name is the Enterprise. -- Kirk, The Corbomite Maneuver, stardate 1514.0 -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Bug#442180: d-i preseed method allows for remote cmd exec. in combination with DNS hijacking
Moritz Naumann wrote: The default boot option used by this package contains the following: preseed/url=http://goodbye-microsoft.com/runtime/preseed.cfg There is a compile time option (NETWORK_BASE_URL) that can enable this, and maybe it's enabled on the goodbye-microsoft.com version (didn't check), but that is not a Debian website. The option is not used in the version of win32-loader included in Debian. BTW, if you can use DNS hijacking to sppof http://goodbye-microsoft.com/runtime/preseed.cfg , it may be easier to simply spoof http://goodbye-microsoft.com/pub/debian.exe . Then you can use a platform that is demonstrabably suburb at running virii and botnets. :-) (d-i preseeding does support specifying the md5sums of preseed files.) -- see shy jo signature.asc Description: Digital signature
