Re: Update on the distro-backdoor-scanner effort

[Jacob Bachmeyer <jcb62281 () gmail com>]

Vegard Nossum wrote:
> [...]
> Hi,
>
> Masquerading a shell command as a pkg-config variable definition is
> trivial (but probably still detectable) since you can just do:
>
> foobar=/usr echo hi
>
> which AFAIK is a valid pkg-config variable definition but also a valid
> shell command.

You are correct, but making this a little bit harder for an attacker is 
still an improvement.  Perhaps pkg-config variable values should be 
required to be in quotes if they contain spaces?

The bigger issue is accepting an *-uninstalled.pc in a system directory, 
which means that it actually *has* been installed.  That logic error 
allowed your backdoor to override the real libelf.pc without producing a 
file conflict that the package manager could detect.

> Also remember that in my particular example I reused the same file but
> it would also be trivial to use a different file in the $(...) expansion
> so that the payload actually lives somewhere else.

Agreed, but adding another file to the backdoor increases the chance of 
the attacker getting caught.

> The payload doesn't
> even have to be a shell script, it could also be a small ELF binary or
> something where you wouldn't necessarily be able to tell at a glance
> that it does something malicious.

Also correct, in fact, for a package that actually installs executables, 
a bit of extra code in an otherwise legitimate binary to detect when the 
grandparent is make(1) and drop a backdoor could very likely go 
unnoticed.  (This would be the rogue or compromised distribution 
packager scenario, where the binaries distributed do not match the sources.)


-- Jacob