Debian/Ubuntu security apt phun

newer
Former UK ambassador:: I picked up...

Georgi Guninski

14 Dec 2016 14 Dec '16

5:06 p.m.

Debian/Ubuntu security apt phun https://www.ubuntu.com/usn/usn-3156-1/ 13th December, 2016 An attacker could trick APT into installing altered packages. https://www.debian.org/security/2016/dsa-3733 can take advantage of this flaw to circumvent the signature of the InRelease file, leading to arbitrary code execution. Likely besides the nsa, others enjoyed this too (have seen multi user debian mirror with world writable stuff at /etc) And how do you update apt if it is broken? ;)

Show replies by date

Razer

14 Dec 14 Dec

5:50 p.m.

On 12/14/2016 09:06 AM, Georgi Guninski wrote:

...

Debian/Ubuntu security apt phun

https://www.ubuntu.com/usn/usn-3156-1/ 13th December, 2016 An attacker could trick APT into installing altered packages.

https://www.debian.org/security/2016/dsa-3733 can take advantage of this flaw to circumvent the signature of the InRelease file, leading to arbitrary code execution.

Likely besides the nsa, others enjoyed this too (have seen multi user debian mirror with world writable stuff at /etc)

And how do you update apt if it is broken? ;)

Download the .deb package and install. Assuming ofc apt IS installable from a .deb file...IDK. Rr

Shawn K. Quinn

6:04 p.m.

On 12/14/2016 11:50 AM, Razer wrote:

...

Download the .deb package and install. Assuming ofc apt IS installable from a .deb file...IDK.

Yes, if you are that worried, manually verify the .deb and install it with dpkg. -- Shawn K. Quinn http://www.rantroulette.com http://www.skqrecordquest.com

Georgi Guninski

6:22 p.m.

On Wed, Dec 14, 2016 at 12:04:00PM -0600, Shawn K. Quinn wrote:

...

On 12/14/2016 11:50 AM, Razer wrote:

...
Download the .deb package and install. Assuming ofc apt IS installable from a .deb file...IDK.

Yes, if you are that worried, manually verify the .deb and install it with dpkg.

This makes some sense. What are the exact steps to verify .deb? To my knowledge the signature of .deb is not contained in it like in say .rpm and one needs hashes from a signed _other_ file, which make it PITA to install on air gapped boxen. This info might be outdated.

Karl

10:11 p.m.

Thanks for sharing this. As a Qubes user, I've been installing Debian updates over Tor regularly. I guess I should reinstall my whole operating system at this point. On December 14, 2016 1:04:00 PM EST, "Shawn K. Quinn" wrote:

...

On 12/14/2016 11:50 AM, Razer wrote:

...
Download the .deb package and install. Assuming ofc apt IS installable from a .deb file...IDK.

Yes, if you are that worried, manually verify the .deb and install it with dpkg.

-- Shawn K. Quinn http://www.rantroulette.com http://www.skqrecordquest.com

-- Sent from my Android device with K-9 Mail. Please excuse my brevity.

Shawn K. Quinn

11:07 p.m.

On 12/14/2016 04:11 PM, Karl wrote:

...

On December 14, 2016 1:04:00 PM EST, "Shawn K. Quinn" wrote: Yes, if you are that worried, manually verify the .deb and install it with dpkg.

Thanks for sharing this.

As a Qubes user, I've been installing Debian updates over Tor regularly. I guess I should reinstall my whole operating system at this point.

If you really think you've been "owned" then better safe than sorry. As for me, right now I'm just waiting for the new version of apt to come down the pipe before doing any other significant software updates/installs, until it's shown this has actually been exploited. -- Shawn K. Quinn http://www.rantroulette.com http://www.skqrecordquest.com

Georgi Guninski

7:13 p.m.

On Wed, Dec 14, 2016 at 09:50:14AM -0800, Razer wrote:

...

...
And how do you update apt if it is broken? ;)

Download the .deb package and install. Assuming ofc apt IS installable from a .deb file...IDK.

By "broken" I meant vulnerable, not non-working. As I already asked "how do I verify the integrity of the apt .deb"? Haven't checked the details, but the wording in the Debilian's advisory suggest they don't have self-contained pseudo-crypto signatures, they just sign the metadata shit, at least by default. As an aside, "download this .deb and install" reminds me of the windoze screensaver attachments I get by email...

John Newman

9:07 p.m.

...

On Dec 14, 2016, at 2:13 PM, Georgi Guninski wrote:

As an aside, "download this .deb and install" reminds me of the windoze screensaver attachments I get by email...

Naught to do with Debian, but goddam I'm sick of seeing IPs from all over the world logging into our one anon ftp server and recursively trying to upload Photo.scr over and over, until the little monitor script catches and blocks it. The file is of course actually a Windows executable, not a ".scr" file...

Shawn K. Quinn

9:18 p.m.

On 12/14/2016 03:07 PM, John Newman wrote:

...

Naught to do with Debian, but goddam I'm sick of seeing IPs from all over the world logging into our one anon ftp server and recursively trying to upload Photo.scr over and over, until the little monitor script catches and blocks it.

The file is of course actually a Windows executable, not a ".scr" file...

First, why the hell are you running an anonymous FTP server in 2016?! FTP needs to die... it was designed in an era where it was acceptable to send passwords across the internet in plain text. That era is long gone. HTTP (really HTTPS now) for downloads, and SFTP/SCP for the use cases where HTTP(S) won't really fit. Second, if I remember right, .scr *is* a type of Windows executable (originally used for screensavers). Thank Microsoft for that one... most people wouldn't recognize .scr the way they would, say, .exe, .dll, and the like. This is why I like the Unix method a lot better: if you want to run something, you either have to feed it to something like bash or python on the command line, or give it execute permissions. Of course, the flip side of this is that mounting stuff over SMB has the executable bit set on everything, even stuff for which an execute action would not make any sense... which kind of shoots down this rudimentary security mechanism. (Again, blame Microsoft, who clearly thinks the existence of an execute permission bit is redundant.) Not much I haven't said before, though: http://www.rantroulette.com/tag/microsoft -- Shawn K. Quinn http://www.rantroulette.com http://www.skqrecordquest.com

John Newman

9:59 p.m.

...

On Dec 14, 2016, at 4:18 PM, Shawn K. Quinn wrote:

...
On 12/14/2016 03:07 PM, John Newman wrote: Naught to do with Debian, but goddam I'm sick of seeing IPs from all over the world logging into our one anon ftp server and recursively trying to upload Photo.scr over and over, until the little monitor script catches and blocks it.

The file is of course actually a Windows executable, not a ".scr" file...

First, why the hell are you running an anonymous FTP server in 2016?! FTP needs to die... it was designed in an era where it was acceptable to send passwords across the internet in plain text. That era is long gone. HTTP (really HTTPS now) for downloads, and SFTP/SCP for the use cases where HTTP(S) won't really fit.

Not up to me my friend. Server in question supposedly facilitates some public data eg supports large transfer for various shit like big chunks of the human genome project, other pubmed data, etc. I agree it's foolish, but I simply maintain the system, against recommendations I've made to superiors! It's a UNIX system btw, well, redhat, running vsftpd, with a simple perl script I've written to trail the logs and blackhole anybody that looks nefarious. Kind of a very narrow fail2ban type thing...

...

Second, if I remember right, .scr *is* a type of Windows executable (originally used for screensavers). Thank Microsoft for that one... most people wouldn't recognize .scr the way they would, say, .exe, .dll, and the like. This is why I like the Unix method a lot better: if you want to run something, you either have to feed it to something like bash or python on the command line, or give it execute permissions. Of course, the flip side of this is that mounting stuff over SMB has the executable bit set on everything, even stuff for which an execute action would not make any sense... which kind of shoots down this rudimentary security mechanism. (Again, blame Microsoft, who clearly thinks the existence of an execute permission bit is redundant.)

For some reason I thought windows .scr files were bitmaps or pngs or something... Anyway, all I know is when I run "file Photo.scr" I get back "Win32 EXE.." or whatever the precise output is, I don't recall (typing this on a phone on the subway) I calculated the md5 first few times I saw it and looked it up - it's this guy: http://www.securityweek.com/photominer-worm-spreads-insecure-ftp-servers We haven't had any actual infections, I just see the fucking thing knocking on the door (and getting blocked and nuked) all the time. Sets itself up as a bitcoin miner with successful infection. And I totally agree re: Microsoft. Can't stand working with their shit. Security is intolerable (pass the hash has worked for like 20 years, not to mention a million other flaws, and the aesthetics are horrible compared to UNIX..)

...

Not much I haven't said before, though: http://www.rantroulette.com/tag/microsoft

-- Shawn K. Quinn http://www.rantroulette.com http://www.skqrecordquest.com

John Newman

10:55 p.m.

On Wed, Dec 14, 2016 at 04:59:27PM -0500, John Newman wrote:

...

For some reason I thought windows .scr files were bitmaps or pngs or something... Anyway, all I know is when I run "file Photo.scr" I get back "Win32 EXE.." or whatever the precise output is, I don't recall (typing this on a phone on the subway)

The precise output of the garbage in question: $ file Photo.scr Photo.scr: PE32 executable (GUI) Intel 80386 (stripped to external PDB), for MS Windows $ md5sum Photo.scr aba2d86ed17f587eb6d57e6c75f64f05 Photo.scr $ sha1sum Photo.scr aeccba64f4dd19033ac2226b4445faac05c88b76 Photo.scr https://www.virustotal.com/en/file/807126cbae47c03c99590d081b82d5761e0b9c57a... Fun stuff! (heh) John

Georgi Guninski

15 Dec 15 Dec

7:24 p.m.

On Wed, Dec 14, 2016 at 04:07:31PM -0500, John Newman wrote:

...

Naught to do with Debian, but goddam I'm sick of seeing IPs from all over the world logging into our one anon ftp server and recursively trying to upload Photo.scr over and over, until the little monitor script catches and blocks it.

Lol, what is the address of these nice free ftp space providers?

...

The file is of course actually a Windows executable, not a ".scr" file...

If you can't run ".scr" natively try it under Wine, why rm it?

John Newman

8:23 p.m.

On Thu, Dec 15, 2016 at 09:24:41PM +0200, Georgi Guninski wrote:

...

On Wed, Dec 14, 2016 at 04:07:31PM -0500, John Newman wrote:

...
Naught to do with Debian, but goddam I'm sick of seeing IPs from all over the world logging into our one anon ftp server and recursively trying to upload Photo.scr over and over, until the little monitor script catches and blocks it.

Lol, what is the address of these nice free ftp space providers?

The logs are actually all "FAIL UPLOAD: Client .. /blah/blah/Photo.scr" these days. There were a couple misconfigured directories owned by ftp:ftp with mode some fucked up combo of either u+w or g+w where it kept getting placed, which was fixed a while ago.

...

...
The file is of course actually a Windows executable, not a ".scr" file...

If you can't run ".scr" natively try it under Wine, why rm it?

I thought (not being a windows user) that ".scr" files were fucking... images? Screensaver files? Apparently Windows also blithely interprets them as ".scr"ipts, which includes regular old win32 executable code. The beautiful aesthetics of Windows. And obviously I never wanted to run them.. Oh, and its apparently a "monero" miner/virus, not bitcoin. So many blockchain currencies, so little wattage... Except in Venezuela, of course :) John

Mark Steward

16 Dec 16 Dec

1:30 a.m.

.scr files since Windows 3 have been (NE or PE) executable files. Mark On 15 Dec 2016 20:24, "John Newman" wrote:

...

On Thu, Dec 15, 2016 at 09:24:41PM +0200, Georgi Guninski wrote:

...
On Wed, Dec 14, 2016 at 04:07:31PM -0500, John Newman wrote:

...
Naught to do with Debian, but goddam I'm sick of seeing IPs from all over the world logging into our one anon ftp server and recursively trying to upload Photo.scr over and over, until the little monitor script catches and blocks it.

Lol, what is the address of these nice free ftp space providers?

The logs are actually all "FAIL UPLOAD: Client .. /blah/blah/Photo.scr" these days.

There were a couple misconfigured directories owned by ftp:ftp with mode some fucked up combo of either u+w or g+w where it kept getting placed, which was fixed a while ago.

...
...
The file is of course actually a Windows executable, not a ".scr" file...

If you can't run ".scr" natively try it under Wine, why rm it?

I thought (not being a windows user) that ".scr" files were fucking... images? Screensaver files? Apparently Windows also blithely interprets them as ".scr"ipts, which includes regular old win32 executable code. The beautiful aesthetics of Windows. And obviously I never wanted to run them..

Oh, and its apparently a "monero" miner/virus, not bitcoin. So many blockchain currencies, so little wattage... Except in Venezuela, of course :)

John

2853

Age (days ago)

2855

Last active (days ago)

List overview

Download

13 comments

6 participants

participants (6)

Georgi Guninski
John Newman
Karl
Mark Steward
Razer
Shawn K. Quinn