Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Date: Mon, 29 Apr 2024 19:31:46 -0500
From: Jacob Bachmeyer <jcb62281@...il.com>
To: Vegard Nossum <vegard.nossum@...cle.com>
CC: oss-security@...ts.openwall.com, Hank Leininger <hlein@...elogic.com>
Subject: Re: Update on the distro-backdoor-scanner effort

Vegard Nossum wrote:
> [...]
> Hi,
>
> Masquerading a shell command as a pkg-config variable definition is
> trivial (but probably still detectable) since you can just do:
>
> foobar=/usr echo hi
>
> which AFAIK is a valid pkg-config variable definition but also a valid
> shell command.

You are correct, but making this a little bit harder for an attacker is 
still an improvement.  Perhaps pkg-config variable values should be 
required to be in quotes if they contain spaces?

The bigger issue is accepting an *-uninstalled.pc in a system directory, 
which means that it actually *has* been installed.  That logic error 
allowed your backdoor to override the real libelf.pc without producing a 
file conflict that the package manager could detect.

> Also remember that in my particular example I reused the same file but
> it would also be trivial to use a different file in the $(...) expansion
> so that the payload actually lives somewhere else.

Agreed, but adding another file to the backdoor increases the chance of 
the attacker getting caught.

> The payload doesn't
> even have to be a shell script, it could also be a small ELF binary or
> something where you wouldn't necessarily be able to tell at a glance
> that it does something malicious.

Also correct, in fact, for a package that actually installs executables, 
a bit of extra code in an otherwise legitimate binary to detect when the 
grandparent is make(1) and drop a backdoor could very likely go 
unnoticed.  (This would be the rogue or compromised distribution 
packager scenario, where the binaries distributed do not match the sources.)


-- Jacob

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.