 |
Home
| Calendar
| Mail Lists
| List Archives
| Desktop SIG
| Hardware Hacking SIG
Wiki | Flickr | PicasaWeb | Video | Maps & Directions | Installfests | Keysignings Linux Cafe | Meeting Notes | Linux Links | Bling | About BLU |
|
Home
| Calendar
| Mail Lists
| List Archives
| Desktop SIG
| Hardware Hacking SIG
Wiki | Flickr | PicasaWeb | Video | Maps & Directions | Installfests | Keysignings Linux Cafe | Meeting Notes | Linux Links | Bling | About BLU |
On Fri, Jul 11, 2008 at 5:17 PM, Matthew Gillen <[hidden email]> wrote: > Saw this on slashdot: > http://www.cs.arizona.edu/people/justin/packagemanagersecurity/attacks-on-package-managers.html > > They make some interesting points, but in the end it's a pretty weak attack, > and wouldn't work in the real world. Actually, this appears to be a quite valid attack method, especially if you sit on the network with the machine(s) you want to attack. I think this type of stuff has been discussed previously, but they just did more formal academic research and published it. It wouldn't be too difficult to write a tool that does this, if they haven't already released their code. > First, I don't think any package manger will "downgrade" without significant > user intervention, so just providing access to old filelists (and the files > themselves) is not sufficient to install broken software on a client. I think the main point is that you are installing valid signed software -- just a more outdated package. In fact, a proof of concept to install an old openssl package would be quite disastrous!!! What I don't understand is why APT doesn't match up the version requested with the DEB info within the package. If I request version 1.2.3, someone MITMs me, and then I receive a valid signed 1.2.0 package, wtf didn't APT say "you bait and switched me dude!!!" and then fail? Hrmm... > That leaves the DoS attack where you could simply prevent clients from > upgrading. The problem there is that yum, apt, etc, all use rotating > mirrors, so a given client would have to somehow keep getting "bad guy" > mirrors (just once getting to a "good guy" mirror and they get the critical > updates). You'd have to have a significant number of these "dummy" servers > to keep clients from updating, and by that point you'd be detected (it would > be trivial to identify "dummy" servers once you know that you need to look). Again, dnsspoof wins. Look at how metasploit.com got hijacked recently :-) That could have been a much worse situation for H D Moore, if the LAN attacker was cooler. But hdm is slick and caught the attack within minutes I believe... -- Kristian Erik Hermansen -- CISSP, CEPT, CREA, CEH, Linux+, A+, QGCS, ACSA, this is getting ridiculous... http://kristian-hermansen.com -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. _______________________________________________ Discuss mailing list [hidden email] http://lists.blu.org/mailman/listinfo/discuss
 |
|
| BLU is a member of BostonUserGroups | |
| We also thank MIT for the use of their facilities. | |
