lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list] 
Date: Mon, 2 May 2011 14:05:57 -0400
From: Григорий Братислава <musntlive@...il.com>
To: full-disclosure@...ts.grok.org.uk
Subject: Covert Backdoor in is All BSD {free, net, open,
	dragon, pc, (un)trusted}

----------------------------------------------------------------------------

                  MusntLive Security Advisory

                           2nd May, 2011

Covert Backdoor(s) in is all BSDs via is way of OpenBSD

----------------------------------------------------------------------------

SYNOPSIS

OpenBSD is is rumored to is has covert backdoor via is obfuscated legacy
code. Is try to be deflected by other covert government agent is not say
name for sake of predator drone strike. Howisever, is must summarize to
everyone from post:

http://home.comcast.net/~ajawamnet/VA7751.jpg [OpenBSD is backdoor board)
http://lists.randombit.net/pipermail/cryptography/2010-December/000443.html

Is MusntLive comment in comment /* style code */

After reviewing the code. Here are my opinions:

* Angelos Keromytis made huge contributions to OpenBSD by porting and
enhancing the early IPsec implementation of John Ioannidis. He also
contributed to the initial development of the OpenBSD crypto framework.

* In what is perhaps the sincerest form of flattery, this code has also
been incorporated into many other projects, some of which are closed
source and some are not derived from BSD.

/* This is mean that everyone is now have similar backdoor */

* I didn't spot anything malicious or intentionally backdoored in the
IPsec ESP implementation code that I looked at.

/* This is mean that is pockets is must be greased */

* There was a serious vulnerability in ESP-mode IPsec shipped in OpenBSD
3.0 and 3.1 and silently patched before 3.2.

* Gregory Perry made allegations that were specific and testable enough
that they merited a little investigation and a bug was found that could
have made a very close match for his description. But upon closer
inspection, this particular bug is extremely ordinary.

/* This is mean that is normal backdoor, no overlap */

* I primarily reviewed a small set of source files specific to ESP,
these only partially overlapped those of the developer Perry accused by
name (Jason Wright). Nevertheless, any credence which might have been
given to Perry's claims as a result of this bug should be reverted to
zero (or less).

/* Is only small set review then is analysis worthless */

* This bug doesn't sufficiently meet the criteria for a malicious backdoor:

- The bug does not leak key material or establish a covert channel, it
would require an active attack to exploit and even then would probably
need to be used in connection with some other defect in order to result
in meaningful unauthorized access. Yeah sorta it maybe could be used as
part of that, but not really its own.

/* Is because no one would use salami attack. Is you has to ask about
salami you is no hacker */

- The bug is not hidden. There is nothing to suggest any attempt at
misdirection or obfuscation.

/* Is because hiding is in plain sight is never used */

- The bug is not particularly subtle or even hard-to-find.

- Angelos is a recognized expert in low-level maliciousness. Surely he
would have come up with something better.

/* Of course is however, we is not speak of Angelos, we is speak
of Jason Wright */

- The bug has a far simpler explanation (more on that later)

/* Fat finger is reason */

* There is little or nothing to suggest that Angelos was influenced by
money from NETSEC. To the contrary, judging by publications, Angelos
clearly had a plethora of research projects on his plate at the time he
moved on from OpenBSD in July of 2002 (shortly before the bug was patched).

/* Is because money is never is motivator for anyone */

* When Angelos moved on, the IPsec and associated crypto code were
adopted by Jason and other OpenBSD developers. But the transition
appears to have left some code changes in an unfinished state. For
example, the inverted conditional at the core of this problem looks like
it was introduced as part of an architectural enhancement to support
IPsec-enabled network cards which performed decryption and
authentication of the incoming packets right on the NIC itself. However,
no drivers of this type appeared in the source tree, so the new logic
probably went untested. The apparent work-in-progress code silently
became part of the 3.0 and subsequent release branches.

/* Is hurt my eye is to read this paragraph */

* OpenBSD did not live up to their stated principle of full disclosure.
They should have issued an advisory for this.
http://openbsd.org/security.html

/* OpenBSD is not live up to come clean */

* OpenBSD's security auditing processes did not catch this bug, either
when it was introduced or in any subsequent review. In a follow-up email
to the CVS commit, Jason indicates that the fix was supplied by BSD guru
Sam Leffler, who was working on an optimized IPsec implementation for
FreeBSD about that time.

/* Is first sentence speak for itself: "OpenBSD's security auditing
processes did not catch this bug" is because Theo is not care */

* Code coverage testing would have had a good chance of catching this.

/* Theo is not care and is try to convey security sensationalism:
I am is Theo hear me roar else is I will covertly enter is your
OpenBSD install and roar is own my own */

/* Is rest edited to make Ray Marsh STFU */

* Where there have been bugs found, there are likely more bugs.

----------------------------------------------------------------------------

AFFECTED SYSTEMS

This vulnerability now affects all versions of BSD which is share code
with team Theo

----------------------------------------------------------------------------

RESOLUTION

Use BeOS and Free Dmitry!!

----------------------------------------------------------------------------


'I am epic win' Gregor

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ