oss-sec mailing list archives
Re: Update on the distro-backdoor-scanner effort
From: Jacob Bachmeyer <jcb62281 () gmail com>
Date: Mon, 29 Apr 2024 19:31:46 -0500
Vegard Nossum wrote:
[...] Hi, Masquerading a shell command as a pkg-config variable definition is trivial (but probably still detectable) since you can just do: foobar=/usr echo hi which AFAIK is a valid pkg-config variable definition but also a valid shell command.
You are correct, but making this a little bit harder for an attacker is still an improvement. Perhaps pkg-config variable values should be required to be in quotes if they contain spaces?
The bigger issue is accepting an *-uninstalled.pc in a system directory, which means that it actually *has* been installed. That logic error allowed your backdoor to override the real libelf.pc without producing a file conflict that the package manager could detect.
Also remember that in my particular example I reused the same file but it would also be trivial to use a different file in the $(...) expansion so that the payload actually lives somewhere else.
Agreed, but adding another file to the backdoor increases the chance of the attacker getting caught.
The payload doesn't even have to be a shell script, it could also be a small ELF binary or something where you wouldn't necessarily be able to tell at a glance that it does something malicious.
Also correct, in fact, for a package that actually installs executables, a bit of extra code in an otherwise legitimate binary to detect when the grandparent is make(1) and drop a backdoor could very likely go unnoticed. (This would be the rogue or compromised distribution packager scenario, where the binaries distributed do not match the sources.)
-- Jacob
Current thread:
- Update on the distro-backdoor-scanner effort Hank Leininger (Apr 26)
- Re: Update on the distro-backdoor-scanner effort Simon McVittie (Apr 26)
- Re: Update on the distro-backdoor-scanner effort Sam James (Apr 26)
- Re: Update on the distro-backdoor-scanner effort Jacob Bachmeyer (Apr 27)
- Re: Update on the distro-backdoor-scanner effort Morten Linderud (Apr 27)
- <Possible follow-ups>
- Re: Update on the distro-backdoor-scanner effort Hank Leininger (Apr 28)
- Re: Update on the distro-backdoor-scanner effort Jacob Bachmeyer (Apr 29)
- Re: Update on the distro-backdoor-scanner effort Vegard Nossum (Apr 29)
- Re: Update on the distro-backdoor-scanner effort Gabriel Ravier (Apr 29)
- Re: Update on the distro-backdoor-scanner effort Jacob Bachmeyer (Apr 30)
- Re: Update on the distro-backdoor-scanner effort Hank Leininger (Apr 28)
- Re: Update on the distro-backdoor-scanner effort Simon McVittie (Apr 26)