[TriLUG] Fwd: Trust issues with RH and Debian package managers

Lisa Lorenzin lorenzin at 1000plus.com
Mon Dec 17 18:11:54 EST 2001 

mike forwarded this to me, and it seemed worth passing on.  magic lantern,
anyone? :(

						lisa

---------- Forwarded message ----------
Date: Fri, 14 Dec 2001 14:14:22 -0800 (PST)
From: dfeldman <dfeldman at ziplip.com>
To: bugtraq at securityfocus.com
Subject: Trust issues with RH and Debian package managers

As an administrator of several Linux boxes at work and at home, I was
wondering whether or not I could be affected by the "Magic Lantern"
program.  The results came in, and quite frankly, I am frightented.

To start, I talked with my colleague's brother, "Joe," who is a criminal
defense attorney.  Joe told me that he has been following the Magic Lantern
debate very closely, because his sources indicate that the FBI will be
using it in many, many cases to prevent the possibility of seizing
equipment with undecryptable data on it.  In fact, it has been rumored that
the proposed new FBI policy regarding searches of premises requires agents
to attempt to use Magic Lantern (which technically counts as a consensual
search) prior to even obtaining a warrant, if the warrant is to seize
computer hardware.

Joe is not very familiar with computer technology, but he did say that a
large part of the Magic Lantern program involves contacting ISPs to allow
the FBI to alter network data destined for the suspect's computer.  I will
take that at face value because they seem to have no problem pulling rank
on ISPs.  I suspect that their "do it or we'll arrest you" attitude plays a
big part in this.

With all of that in mind, I decided to find out just how vulnerable I was.
I set up a stock Debian 2.2r3 box, and a stock Red Hat 7.2 box.  Both used
the installation CDs produced at least a few months ago, so they were both
vulnerable to the wu-ftpd exploit and would need to be upgraded for
production use.

My goal was simple: I needed to play the part of the FBI, and trick my
machines into accepting a trojaned version of the new wu-ftpd package.

First, I set up a transparent proxy on my gateway box, which is used to
split my cable modem connection amongst my home machines and those of
several neighbors.  I used a program called "squirm" to rewrite URLs ending
in .deb or .rpm so that they would be redirected to my local web server,
from which the trojanned .deb and .rpm files would be served.

Second, I produced trojaned .deb and .rpm files.  The .deb file was
trivial to modify, as only a checksum stood between me and a valid hacked
version.  The .rpm was a bit more difficult, because RedHat signs their
packages with a PGP key.  However, once I rebuilt the package and did not
sign it with PGP, I had a fixed package.

Third, I went to the Debian box and typed 'apt-get update ; apt-get
upgrade'.  After a few routine prompts, none of which triggered security
alerts, the box was rooted by my "custom" package.

Fourth, I went to the Redhat box and did an 'rpm -U' pointed at the
updates.redhat.com server.  I got my trojanned RPM back, with no warnings
or prompts to tell me it hasn't been signed.  And I had an ftp server with
a new backdoor up in a matter of minutes.

So, to summarize: the FBI can easily set up a transparent proxy between you
and the Internet, and trick your OS into installing malware.  You're damned
if you do and you're damned if you don't, because you need to download the
wuftpd-of-the-week <i>sometime</i>.

As a matter of comparison, my Windows 2000 box has no such vulnerability.
The first time I went to Windows Update, I checked the box that said
"always trust content from Microsoft Corporation."  Therefore, only
Microsoft's real certificate will be accepted by my machine.  Even if the
FBI forces Verisign to issue an impostor certificate, it will be detected
and thwarted.

[and how long do we think it will be until the fbi forces microsoft to 
sign their trojan for them?  -lisa]

Linux distributions need to band together and find a trusted individual who
will be responsible for signing all packages and verifying that they do not
contain backdoors.  That is the only way to solve this issue.  Personally,
I nominate Eric Raymond, because of his widespread respect from the
community and business leaders alike.  Additionally, he is a staunch
libertarian and would not cave to government pressure to insert backdoors
into something that he has signed.  I believe that by charging the
distribution vendors a small fee per package, ESR can again achieve
financial success for himself and his family.

This is a serious issue for Linux users and I believe it should have been
addressed years ago.  That said, now is not too late and definitely not too
early.  I look forward to seeing this feature in all future releases of the
major Linux distributions.

df

----- End forwarded message -----

More information about the TriLUG mailing list