Date: Thu, 10 Apr 2014 13:33:30 -0500 From: Brooks Davis <brooks@freebsd.org> To: David Noel <david.i.noel@gmail.com> Cc: freebsd-security@freebsd.org, Colin Percival <cperciva@freebsd.org> Subject: Re: MITM attacks against portsnap and freebsd-update Message-ID: <20140410183330.GB31394@lor.one-eyed-alien.net> In-Reply-To: <CAHAXwYCGkP-o0VvMXj5S8-KNA45aTvy%2BsrjDL_=8-x9Dza5z5Q@mail.gmail.com> References: <CAHAXwYCGkP-o0VvMXj5S8-KNA45aTvy%2BsrjDL_=8-x9Dza5z5Q@mail.gmail.com>
next in thread | previous in thread | raw e-mail | index | archive | help
--hQiwHBbRI9kgIhsi Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable [Trimming the list to -security plus Colin in hopes of reducing the number of partial conversations. Sending to four lists and an alias is a list etiquette violation.] [Also dropping the discussion of replacing portsnap since that is a mostly unrelated discussion.] On Thu, Apr 10, 2014 at 12:03:45PM -0500, David Noel wrote: > Problem Summary >=20 > 1. Both portsnap and freebsd-update extract fetched data prior to its > SHA256 verification. The extraction libraries used have a long history > of bugs so it's reasonable to assume there might be more. Both > freebsd-update and portsnap are run as root. Using a vulnerability in > the decompression libraries an attacker who was MITM-capable could > compromise any FreeBSD system running portsnap or freebsd-update. > 2. The portsnap mirroring script (pmirror.sh) lacks of any sort of > mechanism to verify the data prior to processing and mirroring it. > Without this, mirrors are open to compromise via methods similar to > those found in the client-side scripts (decompression library > exploitation). It also means an attacker could feed a mirror a corrupt > archive, opening users of that mirror to compromise. These seem like serious issues and a verify-first design would have been better. That said, I'm not convinced that a rototil of the protocol and all the associated storage duplication is worth the effort. It's better in my mind to commit one of the patches to sandbox gzip with Capsicum which will protect from everything except filling the disk by denying gunzip the ability to do anything but write to the file opened by the script. That will protect all gzip users. > 3. Both portsnap and freebsd-update are vulnerable to freeze attacks. What do you mean by a freeze attack? I'm not familiar with this term and I didn't find this post, the PRs, or a quick Google search illuminating. -- Brooks --hQiwHBbRI9kgIhsi Content-Type: application/pgp-signature -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.11 (FreeBSD) iKYEARECAGYFAlNG4/pfFIAAAAAALgAoaXNzdWVyLWZwckBub3RhdGlvbnMub3Bl bnBncC5maWZ0aGhvcnNlbWFuLm5ldDY1NUQ1MTlDMjZBNzgyRTcyNTI5OUJGMDVE OEU4QkU5RjIzODFBRDQACgkQXY6L6fI4GtTuQgCbBwNhwz/lP6urDkGC7F1KVlZ4 Er0An3cYneantIfrC4keWX63TrO/5or3 =zDqa -----END PGP SIGNATURE----- --hQiwHBbRI9kgIhsi--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20140410183330.GB31394>