You are not logged in.

#1 2007-07-26 18:53:19

rbl
Member
Registered: 2005-08-29
Posts: 64

Pacman vulnerable to MITM attacks?

Hello fellow archers,

I was wondering if pacman's security model could compete with the ubuntu/debian one (signed .deb packages), so I glimpsed at /etc/pacman.d/* and am currently a bit shocked since all I could see were possibly insecure http/ftp URLs.

I am German, and not the only one becoming increasingly paranoid because our minister of the interior is carelessly trying to push his agenda of new surveillance methods. (Trying to stay politically neutral in here... mad check the [cruel] Google translation for "Bundestrojaner" if you're interested in what might be in store for Germany.)

So.. if pacman is checking for new sources from http/ftp servers without using any SSL/TLS or the like, wouldn't it be fairly easy for a government controlling the local ISPs (or even a roommate ARP-spoofing the LAN) to get me to download & install / upgrade to a package containing malware/spyware/a (government-or-whatever)-sponsored trojan?

The md5sums in the PKGBUILDs are in no way increasing my security if the PKGBUILD itself is tainted.

What are your thoughts on this? Hopefully I am wrong here.

Banner_berlin_468x60.jpg

Offline

#2 2007-07-26 19:02:27

Lone_Wolf
Member
From: Netherlands, Europe
Registered: 2005-10-04
Posts: 11,866

Re: Pacman vulnerable to MITM attacks?

Unfortunately i think you are correct.

However, i do remember one of the feature requests for pacman 3 was the ability to use signed packages.

Until that is implemented, you could add the ip-address for your mirror server in /etc/hosts.
That way you can atleast be sure the packages come from an official mirror.
(most official mirrors are on servers used for education networks and mirror many linux distros, if someone would be faking the id-address it would likely be noticed quickly)


Disliking systemd intensely, but not satisfied with alternatives so focusing on taming systemd.


(A works at time B)  && (time C > time B ) ≠  (A works at time C)

Offline

#3 2007-07-26 19:49:54

F
Member
Registered: 2006-10-09
Posts: 322

Re: Pacman vulnerable to MITM attacks?

Damn, this is very interesting.

I'll think over it for a while and put up a response. But for now... I, too, think you are also correct. neutral

Offline

#4 2007-07-26 20:09:23

Cerebral
Forum Fellow
From: Waterloo, ON, CA
Registered: 2005-04-08
Posts: 3,108
Website

Re: Pacman vulnerable to MITM attacks?

You're most likely right - the md5/sha1 sums in the PKGBUILDs were never meant for security.  They're there to ensure the package you downloaded didn't get corrupted in the download, and that's it.

There's been talk of signed packages, but nothing's been done to that effect yet.

Offline

#5 2007-07-26 20:42:00

slubman
Member
From: Grenoble (France)
Registered: 2004-08-04
Posts: 86
Website

Re: Pacman vulnerable to MITM attacks?

If your mirror support ftp with ssl you can also at least check the validity of the certificate and encrypt (the commande channel, the transmission channel, or both of them depending of the mirror) by using a custom XferCommand.

XferCommand = /usr/bin/curl --ftp-ssl-reqd -# -O %u

And to have a little bit more informations about what is done (curl is a little sillent):

XferCommand = /usr/bin/curl --ftp-ssl-control -k -# -w "Downloaded '%{url_effective}'  succesfully\n" -O %u

You can also improve the output with a little bit of scripting.

Last edited by slubman (2007-07-26 21:48:36)

Offline

#6 2007-07-26 22:51:17

_nalle
Member
From: Stockholm/Sweden
Registered: 2006-01-11
Posts: 70
Website

Re: Pacman vulnerable to MITM attacks?

This has already been brought up by both me and mhakali on this forum a while back.

Here you go:

http://bbs.archlinux.org/viewtopic.php?id=24666
http://bbs.archlinux.org/viewtopic.php?id=27867


Swedish Archlinux Mirror Administrator - ftp.gigabit.nu

Offline

#7 2007-07-27 09:15:46

Lone_Wolf
Member
From: Netherlands, Europe
Registered: 2005-10-04
Posts: 11,866

Re: Pacman vulnerable to MITM attacks?

Ok, here are some thoughts about how this could be done :


Someone gets gpg keys for archlinux.org and community , possible the other arch sites also.(should be the person who is owner of the domain, probably judd)
Devs and TUs get personal gpg keys.
The keys are registered with a free certificate authority like CAcert
(Aside from the pgp signing this will also allow https for the registered sites and such)
see also CAcert on wikipedia

The CAcert root certificate and public arch/dev/tu keys are published on archlinux.org for download with instructions to put them in a specific place.
(could be put in a separate package also, not sure if that's a good idea)


makepkg gets a new array with 2 options :
sign=(arch personal)

binary packages that have sign=(personal)  will be signed locally with the personal key by makepkg, before upload.
In the repos the sign=() values for packages need to be added to the repo-db.

After uploading the repo maintenance software for current/extra/testing/unstable/community checks for sign=(arch) and signs all marked packages with the archlinux private key.

Immediately after downloading pacman checks the db for sign values and controls if the packages are signed correctly.

Note 1
it may be a good idea to get separate gpg keys for archlinux.org and community

Note 2
this doesn't need to be done all at once, there could be several stages.
It would probably be a good idea if this was organized as a project lead by an arch-developer.

Note 3
Also posted as comment on flyspray 5331


Disliking systemd intensely, but not satisfied with alternatives so focusing on taming systemd.


(A works at time B)  && (time C > time B ) ≠  (A works at time C)

Offline

#8 2007-07-28 11:45:37

rbl
Member
Registered: 2005-08-29
Posts: 64

Re: Pacman vulnerable to MITM attacks?

Thanks for the replies. Apparently, you're also very much interested in a more secure arch package management.

Well, we guys usually are very security-aware, aren't we? Speaking for myself, I use FTPS/IMAP+SSL/SSL as much as possible, use CACert SSL certificates for my webserver, and have only LUKS/dm-crypt encrypted partitions (except for /boot). Plus all unique long + cruel passwords.

I'm stating this to make all of you aware that all of these measures are in vain if our package manager is vulnerable to MITM.

_nalle: This might have been brought up before. In fact, I didn't even care to look. As long as this problem persists, from my POV there's no issue devs should be made more aware of than this.

Lone_Wolf: Just avoiding DNS will not help much if anything. In the LAN scenario, you're - basically - able to ARP spoof IPs; and in case your ISP is, well, trying or forced to help your government, I'm sure it'd be possible for them to filter your packets being sent for a specific IP and reroute them to a local "mirror" of their own.

slubman: Nice idea for a workaround. In my opinion, this could prevent your local roommate from messing with your pacman upgrades. Still: in the worse (worst case?) scenario that your GOV.&ISP are working against you, I don't think this would help much. I'm quite sure that they will be able to obtain a valid cert from one of the large commercial CAs for whatever domain they please if they require it. The problem is curl only checking for the presence of any valid&trusted cert and not for a specific trusted cert.

Finally, Lone_Wolf, the approach you describe sounds very doable. Using either CAcert or creating a new CA for arch also seems like the right thing to do.

I hope some more devs will comment on this and come up with a roadmap soon. smile

Offline

#9 2007-07-28 12:05:48

FeatherMonkey
Member
Registered: 2007-02-26
Posts: 313

Re: Pacman vulnerable to MITM attacks?

http://www.archlinux.org/pipermail/arch … 02856.html here's a thread from a while back, I suspect the stance may still be the same.

As the bug report I suspect if someone actually wrote a patch it would be a step in the right direction, from what I can see the devs don't think this is a priority.

For the ones that do a patch/modified pacman in aur seems the right approach to me, then it can get voted into use.

as this thread and the bug assigned http://bbs.archlinux.org/viewtopic.php?id=27867

Last edited by FeatherMonkey (2007-07-28 12:12:04)

Offline

#10 2007-07-28 12:46:25

iphitus
Forum Fellow
From: Melbourne, Australia
Registered: 2004-10-09
Posts: 4,927

Re: Pacman vulnerable to MITM attacks?

I don't think it's a cause for concern yet.

I'll care when you manage to craft me a new package, modified in some significant form, and installable, yet has the same md5sum/sha1sum as the unmodified package.

I know it's not impossible, but given the effort required for a MITM, and then the difficulty to craft such a package, it's a very improbable outcome.

Anyway, the link above has more than enough reasons against such an implementation now.

James

Last edited by iphitus (2007-07-28 12:47:09)

Offline

#11 2007-07-28 12:54:06

rbl
Member
Registered: 2005-08-29
Posts: 64

Re: Pacman vulnerable to MITM attacks?

iphitus: My malicious package would not have to match a given md5/sha1sum. Any checksums involved are being requested via an unencrypted connection..

Offline

#12 2007-07-28 14:48:35

FeatherMonkey
Member
Registered: 2007-02-26
Posts: 313

Re: Pacman vulnerable to MITM attacks?

I may being stupid but wouldn't you also have to modify the pkg on the arch repo also? Or are you saying you can redirect me and change where I'd download from. Also aren't md5sums done on the localhost after downloading or am I missing something?

I have actually just found an aur package that had an old link, now I was dubious after finding a host for the file, but the md5sum was correct. Therefore my assumption was that it hadn't been modified, was my assumption wrong?

Last edited by FeatherMonkey (2007-07-28 14:49:22)

Offline

#13 2007-07-28 15:36:49

shining
Pacman Developer
Registered: 2006-05-10
Posts: 2,043

Re: Pacman vulnerable to MITM attacks?

I fail to see what this thread is talking about, security for source tarballs, or security for packages.
There are 2 steps involved :
1) A developer builds a package using makepkg. What's important here is the integrity of the upstream source tarball.
2) An user installs a package with pacman. What's important here is the integrity of the package built by an Arch dev.

Maybe I'm just stupid and am missing something, so please explain smile


pacman roulette : pacman -S $(pacman -Slq | LANG=C sort -R | head -n $((RANDOM % 10)))

Offline

#14 2007-07-28 16:33:16

cactus
Taco Eater
From: t͈̫̹ͨa͖͕͎̱͈ͨ͆ć̥̖̝o̫̫̼s͈̭̱̞͍̃!̰
Registered: 2004-05-25
Posts: 4,622
Website

Re: Pacman vulnerable to MITM attacks?

This thread is talking about an isp redirecting requests (for example) for ftp.archlinux.org to their own servers..where they are distributing modified current.db.tar.gz files, as well as modified packages.

Pacman only really needs to verify the *authenticity* of the repo db files. These files contain the md5sums for the packages. Any non-matches are reported to the end user.
There is no method in place to verify the authenticity of the repo db files... yet.

If anyone has a patch to do so, then please submit it.
I would envision something like using gnupg and a signing key, as many other distributions use.


"Be conservative in what you send; be liberal in what you accept." -- Postel's Law
"tacos" -- Cactus' Law
"t̥͍͎̪̪͗a̴̻̩͈͚ͨc̠o̩̙͈ͫͅs͙͎̙͊ ͔͇̫̜t͎̳̀a̜̞̗ͩc̗͍͚o̲̯̿s̖̣̤̙͌ ̖̜̈ț̰̫͓ạ̪͖̳c̲͎͕̰̯̃̈o͉ͅs̪ͪ ̜̻̖̜͕" -- -̖͚̫̙̓-̺̠͇ͤ̃ ̜̪̜ͯZ͔̗̭̞ͪA̝͈̙͖̩L͉̠̺͓G̙̞̦͖O̳̗͍

Offline

#15 2007-07-28 16:35:52

rbl
Member
Registered: 2005-08-29
Posts: 64

Re: Pacman vulnerable to MITM attacks?

Allright I'll try to clear things up a bit. I am basically concerned about all packages installed via pacman potentially containing (whatever-evil)-ware, trojans specifically. This is due to the fact that I am downloading package information and the packages themselves via unencrypted, thus insecure connections. I'm not talking about possibly corrupted mirrors here, that's another issue.

So, problem: Corrupt / government-controlled ISPs or untrustworthy LAN neighborhoods can alter any of your traffic that is not encrypted.

Possible solution: Use SSL for any pacman-related traffic. Install server certificates (from CAcert or a new arch CA) on all servers. Hand out certificates signed by the CA to the mirrors. Make pacman check for not only valid certificates, but for these specific certificates to make it impossible to spoof us with certs from other CAs. Let pacman cancel updates/upgrades if the cert doesn't look ok, and spit out an error message.

cactus, you're right, it would suffice if the repository database would be updated via an encrypted connection, since (how I understand it) it contains md5sums of the packages who are being checked by pacman post-download + pre-install.

Last edited by rbl (2007-07-28 16:38:54)

Offline

#16 2007-07-28 17:11:07

skymt
Member
Registered: 2006-11-27
Posts: 443

Re: Pacman vulnerable to MITM attacks?

Proper security wouldn't even require an encrypted connection when downloading the package database. That would require SSL on every server, which would probably lose us some precious mirrors that don't have certificates. All we need is to sign the database and include the public key(s) in the pacman package. Then the only point of vulnerability is the initial ISO download. Even that would be secure if all the ISO mirrors used SSL.

Offline

#17 2007-07-28 17:46:52

nikron
Member
Registered: 2007-05-15
Posts: 130

Re: Pacman vulnerable to MITM attacks?

I've actually had a problem, related to this.  At an airport, I did pacman -Syu when connected, but not to the internet (It routed everything verzion.com).  So I ended up getting html files from verzion.com, instead of databases.

Offline

#18 2007-07-28 18:30:04

dante
Member
Registered: 2007-06-08
Posts: 38

Re: Pacman vulnerable to MITM attacks?

I also think that it is very important in this time, that there is a possibility to get Arch and updates in a secure way. So the priority is not that low for me. How is Debian or Fedora managing this situation? Isn't it possible to adopt something form them? I trust the Developers and the TUs, but I don't trust the way.

dante


"Lasciate ogni speranza, voi ch' entrate"
- Laßt jede Hoffnung hinter euch, ihr, die ihr eintretet -

Dante Alighieri

Offline

#19 2007-08-06 12:43:27

hybrid
Member
Registered: 2007-02-05
Posts: 261

Re: Pacman vulnerable to MITM attacks?

skymt: That's not fully correct: if you include it into the pacman package it would be vulnerable on evey single pacman update. Alright, considering pacman's way of "dealing with config files" it's not necessarily vulnerable but imo the key should be kept seperate from pacman.

I fully agree with rlb and I do think it is highly important to secure the connection between the user and the trusted Archlinux-Server.

Offline

#20 2007-08-06 15:33:22

cactus
Taco Eater
From: t͈̫̹ͨa͖͕͎̱͈ͨ͆ć̥̖̝o̫̫̼s͈̭̱̞͍̃!̰
Registered: 2004-05-25
Posts: 4,622
Website

Re: Pacman vulnerable to MITM attacks?

rbl wrote:

cactus, you're right, it would suffice if the repository database would be updated via an encrypted connection, since (how I understand it) it contains md5sums of the packages who are being checked by pacman post-download + pre-install.

That is not what I said at all. In fact, I said "No". SSL transport encryption is not needed.

SSL "hides" data from eves droppers. We are not interested in hiding the contents of the transmission. We are interested in a guarantee that the software downloaded is what the devs uploaded to the repository.

Part of a good security plan is appropriate implementation of cyptography. In this instance, ssl transport encryption is entirely inappropriate, and pointless.
Public-key cryptographic signing of the repo.db.tar.gz file is what I was suggesting.


"Be conservative in what you send; be liberal in what you accept." -- Postel's Law
"tacos" -- Cactus' Law
"t̥͍͎̪̪͗a̴̻̩͈͚ͨc̠o̩̙͈ͫͅs͙͎̙͊ ͔͇̫̜t͎̳̀a̜̞̗ͩc̗͍͚o̲̯̿s̖̣̤̙͌ ̖̜̈ț̰̫͓ạ̪͖̳c̲͎͕̰̯̃̈o͉ͅs̪ͪ ̜̻̖̜͕" -- -̖͚̫̙̓-̺̠͇ͤ̃ ̜̪̜ͯZ͔̗̭̞ͪA̝͈̙͖̩L͉̠̺͓G̙̞̦͖O̳̗͍

Offline

#21 2007-08-06 23:22:07

Lone_Wolf
Member
From: Netherlands, Europe
Registered: 2005-10-04
Posts: 11,866

Re: Pacman vulnerable to MITM attacks?

I agree with cactus that ssl-encryption is not beeded here.

A public/private key-pair for signing the repo databases is a good starting point.
Now all we have to find is a C programmer (iirc that's the language pacman is written in) who can write a patch.

(I know very little about C)


Disliking systemd intensely, but not satisfied with alternatives so focusing on taming systemd.


(A works at time B)  && (time C > time B ) ≠  (A works at time C)

Offline

#22 2007-08-06 23:46:37

FeatherMonkey
Member
Registered: 2007-02-26
Posts: 313

Re: Pacman vulnerable to MITM attacks?

Now to me this whole thread is hypothetical, I use a wired network have no interest in using a wireless router that I have no control over.

But if this is written, then applied I can't see how this would guarantee anything, the first paragraph says it here http://webber.dewinter.com/gnupg_howto/ … html#ss1.4 if they are getting in the middle why cant they suppliment their key for the proper key.

Which to me seems worse as now you've given them complete trust. And hell if the government is getting the co-operation of the ISP either someones being very naughty or the governement is approaching big brother and they are just following ec directive. I'm more scared at the other data retention than this, as this article. http://en.wikipedia.org/wiki/Telecommun … _retention

If this can actually be done by a Hack rather than an government coperative ISP then I may be a little worried, as I for one don't live in a censored country or do anything illegal.

What do we do arrange a mass key signing party, have the sig clearly signified, hell if there cooperating with your isp can't they just spoof that page and give the sig that matches there sig.

Offline

#23 2007-08-08 12:18:57

Lone_Wolf
Member
From: Netherlands, Europe
Registered: 2005-10-04
Posts: 11,866

Re: Pacman vulnerable to MITM attacks?

FeatherMonkey wrote:

the first paragraph says it here http://webber.dewinter.com/gnupg_howto/ … html#ss1.4 if they are getting in the middle why cant they suppliment their key for the proper key.

You misinterpret that paragraph.
PGP uses 2 keys :  a private/secret key and a public key.
The private key is the used to sign messages and will only be in possession fo the key owner.
If it was to be stored on the arch server access to the private key would be restricted to those apps that need it to sign messages.
(iirc ssl uses a similar method for it's keys)

What will be posted on the arch site is the PUBLIC key, that can only be used to verify the authenticity of messages.

FeatherMonkey wrote:

Now to me this whole thread is hypothetical, I use a wired network have no interest in using a wireless router that I have no control over.

Many archusers run arch on laptops and i'm one of them.
Let's suppose i'm on vacation and an important security fix is released.
At that time i don't have access to a trusted network so i'll have no choice but to use an open network for the update.

If i have the PUBLIC arch pgp key with me i can use any network to update knowing i can verify the authenticity of the update.


Disliking systemd intensely, but not satisfied with alternatives so focusing on taming systemd.


(A works at time B)  && (time C > time B ) ≠  (A works at time C)

Offline

#24 2007-08-08 13:11:14

FeatherMonkey
Member
Registered: 2007-02-26
Posts: 313

Re: Pacman vulnerable to MITM attacks?

I confess my understanding is limited, I truely accept the point about wireless.

I read that differently as before you get the key, I accept if you know the key is right and are updating, but if the original key is swapped and the isp is spoofing the webpage, which I also guess could be done by the wireless controler. i.e installing

So now you go to the wrong page with the wrong key(Which hypotheticaly could be a dodgy isp), which as the first post is the concern. If you can guarantee the original key which I ? as whats stopping the spoofing of the webpage, and posting the public sig to my key?

This solution is certainly sems better though being a single key(than some rpm based OS), as with the other OS I get flooded with keys and just accept them. I also suspect it would be the same with a lot of novice users.

Whats stopping someone spoofing the page saying please replace keys as we've had to revoke them.

I suppose what I'm saying without a physical web of trust we either take it the key is right because the web page says so, but doesn't that leave it open to social engineering?

Please understand my knowledge is poor in this whole area if I'm missing the mark my apologies.

This was about an isp being involved, so I'm just not sure whats stopping the isp pointing to a government arch mirror with there key and there modified packages. Which seems just a little paranoid to me. I accept after recieving the key but before recieving the key how could I confirm that the page I see is the page I should see.

Offline

#25 2007-08-08 13:20:57

Lone_Wolf
Member
From: Netherlands, Europe
Registered: 2005-10-04
Posts: 11,866

Re: Pacman vulnerable to MITM attacks?

You are correct that getting the public key is the weak part.
Some things can be done to make that more secure :
archlinux.org gets a certificate from a certificate authority and the key can only be downloaded from a https page.
So the certificate will say archlinux.org is indeed archlinux.org and i can verify that.

However this only puts the trust question further down in the chain :
who issued the certificate and do i trust them ?
At some point you have to decide who you trust.


Disliking systemd intensely, but not satisfied with alternatives so focusing on taming systemd.


(A works at time B)  && (time C > time B ) ≠  (A works at time C)

Offline

Board footer

Powered by FluxBB