how to insert plausibly deniable back-doors (Re: Is Open Source safe? [Linux Weekly News])

[Adam Back]

I reckon an easy and plausibly deniable way to insert a backdoor is to
purposefully make the software vulnerable to buffer overflow (the good
old unchecked gets(3) type of bug, of which a new one is found weekly
in sendmail).

Then send the target an encrypted spam or whatever which their program
decrypts, and in the process exploits the buffer overflow and allows
you to execute arbitrary code, which you use to patch the binary, or
install a keyboard sniffer or whatever.  Works better with DOS/windows
-- with no protection -- you could format the disk if you wanted.
unix a bit more tricky, but doable nonetheless -- enough OS security
vulnerabilities to send along a program to obtain root, and then patch
the binary.

Nice and deniable too, if someone finds the vulnerability, you go
`whoops!' and remove it.

I spent a few hours examining pgp263i for buffer overflow
opportunities, but found no exploitable opportunities in that quick
search.

Areas where things almost work from offerflow is fixed size buffer for
storage of -----BEGIN BLAH----- lines, and I did wonder about the
decompression code also -- quite hairy, and undefined behaviour may
just be obtainable with the right carefully corrupted message sent in.

This exercise ought to be done on pgp5.x and 6.x.  I have spent some
time looking at the code in general -- yuck -- OO overdone, very hard
to read due to the many many levels of inheritence and so on, you
really need to run it under a debugger to even figure out what would
happen half the time.  I think I preferred pgp263 for readability and
clarity.  Werner Koch's GNUPG gets an A+ for coding clarity also --
way better than either pgp2.x and pgp5.x.

Adam