[prev in list] [next in list] [prev in thread] [next in thread]
List: oss-security
Subject: Re: [oss-security] Update on the distro-backdoor-scanner effort
From: Jacob Bachmeyer <jcb62281 () gmail ! com>
Date: 2024-04-30 0:31:46
Message-ID: 66303BF2.2070502 () gmail ! com
[Download RAW message or body]
Vegard Nossum wrote:
> [...]
> Hi,
>
> Masquerading a shell command as a pkg-config variable definition is
> trivial (but probably still detectable) since you can just do:
>
> foobar=/usr echo hi
>
> which AFAIK is a valid pkg-config variable definition but also a valid
> shell command.
You are correct, but making this a little bit harder for an attacker is
still an improvement. Perhaps pkg-config variable values should be
required to be in quotes if they contain spaces?
The bigger issue is accepting an *-uninstalled.pc in a system directory,
which means that it actually *has* been installed. That logic error
allowed your backdoor to override the real libelf.pc without producing a
file conflict that the package manager could detect.
> Also remember that in my particular example I reused the same file but
> it would also be trivial to use a different file in the $(...) expansion
> so that the payload actually lives somewhere else.
Agreed, but adding another file to the backdoor increases the chance of
the attacker getting caught.
> The payload doesn't
> even have to be a shell script, it could also be a small ELF binary or
> something where you wouldn't necessarily be able to tell at a glance
> that it does something malicious.
Also correct, in fact, for a package that actually installs executables,
a bit of extra code in an otherwise legitimate binary to detect when the
grandparent is make(1) and drop a backdoor could very likely go
unnoticed. (This would be the rogue or compromised distribution
packager scenario, where the binaries distributed do not match the sources.)
-- Jacob
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic