Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Date: Mon, 29 Apr 2024 19:31:46 -0500
From: Jacob Bachmeyer <>
To: Vegard Nossum <>
CC:, Hank Leininger <>
Subject: Re: Update on the distro-backdoor-scanner effort

Vegard Nossum wrote:
> [...]
> Hi,
> Masquerading a shell command as a pkg-config variable definition is
> trivial (but probably still detectable) since you can just do:
> foobar=/usr echo hi
> which AFAIK is a valid pkg-config variable definition but also a valid
> shell command.

You are correct, but making this a little bit harder for an attacker is 
still an improvement.  Perhaps pkg-config variable values should be 
required to be in quotes if they contain spaces?

The bigger issue is accepting an *-uninstalled.pc in a system directory, 
which means that it actually *has* been installed.  That logic error 
allowed your backdoor to override the real libelf.pc without producing a 
file conflict that the package manager could detect.

> Also remember that in my particular example I reused the same file but
> it would also be trivial to use a different file in the $(...) expansion
> so that the payload actually lives somewhere else.

Agreed, but adding another file to the backdoor increases the chance of 
the attacker getting caught.

> The payload doesn't
> even have to be a shell script, it could also be a small ELF binary or
> something where you wouldn't necessarily be able to tell at a glance
> that it does something malicious.

Also correct, in fact, for a package that actually installs executables, 
a bit of extra code in an otherwise legitimate binary to detect when the 
grandparent is make(1) and drop a backdoor could very likely go 
unnoticed.  (This would be the rogue or compromised distribution 
packager scenario, where the binaries distributed do not match the sources.)

-- Jacob

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.