Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Date: Tue, 2 Apr 2024 01:51:35 -0000 (UTC)
From: Tavis Ormandy <taviso@...il.com>
To: oss-security@...ts.openwall.com
Subject: finding similar compromises (was Re: From xz to ibus: more
 questionable tarballs)

On 2024-04-01, HW42 wrote:
> Hi Jan,
>
> great that you are looking for further problems. (Just to be clear, I'm
> not associated with ibus in any way.)
>

Yes, agreed. In the interests of discussing things in the open after
just complaining about embargoes... :)

It occurred to me that I could grep around in an SKS dump for any keys
that had similar options that Jia Tan used -- algorithm preferences and
so on -- and see if any jumped out as suspicious.

I figure SKS is kinda obscure, so maybe nobody else checked... or maybe
I'm late to the party, or maybe this is obvious -- I'm not an IR guy :)

Here are the options Jia used in his package signing key:

:signature packet: algo 1, keyid 59FCF207FEA7F445
    version 4, created 1672241009, md5len 0, sigclass 0x13
    digest algo 10, begin of digest c9 92
    hashed subpkt 9 len 4 (key expires after 5y0d0h0m)
    hashed subpkt 11 len 4 (pref-sym-algos: 9 8 7 2)
    hashed subpkt 21 len 5 (pref-hash-algos: 10 9 8 11 2)
    hashed subpkt 22 len 3 (pref-zip-algos: 2 3 1)
    hashed subpkt 30 len 1 (features: 01)
    hashed subpkt 23 len 1 (keyserver preferences: 80)
    subpkt 16 len 8 (issuer key ID 59FCF207FEA7F445)
    data: [4096 bits]

That date is:

$ date --utc --date @1672241009
Wed Dec 28 03:23:29 PM UTC 2022

I think the default is 3072 bits and 2y expiry, which has been the
default since 2020:

https://wiki.gnupg.org/LargeKeys

I think they either used gpg --full-generate-key, or maybe a distro that
changes the defaults... does anyone know what distro or software they
might be using?

Grepping around for similar keys created +/- 30 days, I do find a few
with the same word\d\d\d\d@...bar username pattern and the same
gpg options. I found some matching github accounts, but nothing stands
out as suspicious. I also see some marked package signing keys -- e.g.
0x9C2247349FD4213F -- created just one week earlier:

$ date --utc --date @1671644345
Wed Dec 21 05:39:05 PM UTC 2022

Maybe it's nothing, but same algorithm, expiry, key size... maybe
they're using the same distribution?

Anyway, I wasted the afternoon on this :)

Tavis.

-- 
 _o)            $ lynx lock.cmpxchg8b.com
 /\\  _o)  _o)  $ finger taviso@....org
_\_V _( ) _( )  @taviso

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.