lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <CALCvwp50egBn9zP31vNiEccjNcXZGd5GDnFSQxRVSXUNSgpZAQ@mail.gmail.com>
Date: Fri, 23 Sep 2011 06:32:10 +1000
From: GloW - XD <doomxd@...il.com>
To: Georgi Guninski <guninski@...inski.com>
Cc: full-disclosure@...ts.grok.org.uk
Subject: Re: owning ubuntu apt-key net-update (maybe
 apt-get update related)

So, this is an exploit then ? Or just a broken package ? Some people would
simply not understand that,your very techy :P
Anyhow, making a small .sh file for the bug would be cool.. if there is a
bug to be had.
cheers


On 22 September 2011 22:03, Georgi Guninski <guninski@...inski.com> wrote:

> # grep -rniI 'apt-key' /etc 2>/dev/null
> /etc/cron.daily/apt:444:    if eval apt-key net-update $XSTDERR; then
> /etc/cron.daily/apt:445:        debug_echo "apt-key net-update (success)"
> /etc/cron.daily/apt:447:        debug_echo "apt-key net-update (failure)"
>
> i suppose this effectively breaks vanilla "apt-get update" after cron is
> helped by MITM.
>
> the certs were verified to work after installed by apt-key net-update.
>
> --
> joro
>
> On Thu, Sep 22, 2011 at 12:07:08PM +0300, Georgi Guninski wrote:
> > owning ubuntu apt-key net-update (maybe apt-get update related)
> >
> > in ubuntu 10.04 in /usr/bin/apt-key in
> add_keys_with_verify_against_master_keyring()
> >
> > if $GPG_CMD --keyring $ADD_KEYRING --list-sigs --with-colons $add_key |
> grep ^sig | cut -d: -f5 | grep -q $master_key; then
> >               $GPG_CMD --quiet --batch --keyring $ADD_KEYRING --export
> $add_key | $GPG --import
> >               ADDED=1
> >
> >
> > to my knowledge --list-sigs doesn't do crypto verification, just looks
> for well formedness.
> >
> > it is trivial to generate a gpg key with key ID == $master_key:
> > set gpg version to 3, set the lowest 64 bits of the RSA $n$ to the key
> ID, generate random high bits until one can trial factor $n$ (numerology is
> on your side), this is it.
> >
> > to reproduce:
> > attached is ubuntu-archive-keyring.gpg.
> > put it on http://A/ubuntu-archive-keyring.gpg
> > make a copy of apt-key and set:
> > ARCHIVE_KEYRING_URI=http://A/ubuntu-archive-keyring.gpg
> > ^ this emulates MITM.
> > do |./apt-key-new net-update| and check for new keys with |apt-key list|
> >
> > this might or might not be related with |apt-get update|.
> >
> > 10x.
> >
> > --
> > joro
> >
> > _______________________________________________
> > Full-Disclosure - We believe in it.
> > Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> > Hosted and sponsored by Secunia - http://secunia.com/
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
>

Content of type "text/html" skipped

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ