MITM attacks against portsnap and freebsd-update
Brooks Davis
brooks at freebsd.org
Thu Apr 10 18:33:32 UTC 2014
[Trimming the list to -security plus Colin in hopes of reducing the
number of partial conversations. Sending to four lists and an alias is
a list etiquette violation.]
[Also dropping the discussion of replacing portsnap since that is
a mostly unrelated discussion.]
On Thu, Apr 10, 2014 at 12:03:45PM -0500, David Noel wrote:
> Problem Summary
>
> 1. Both portsnap and freebsd-update extract fetched data prior to its
> SHA256 verification. The extraction libraries used have a long history
> of bugs so it's reasonable to assume there might be more. Both
> freebsd-update and portsnap are run as root. Using a vulnerability in
> the decompression libraries an attacker who was MITM-capable could
> compromise any FreeBSD system running portsnap or freebsd-update.
> 2. The portsnap mirroring script (pmirror.sh) lacks of any sort of
> mechanism to verify the data prior to processing and mirroring it.
> Without this, mirrors are open to compromise via methods similar to
> those found in the client-side scripts (decompression library
> exploitation). It also means an attacker could feed a mirror a corrupt
> archive, opening users of that mirror to compromise.
These seem like serious issues and a verify-first design would have been
better. That said, I'm not convinced that a rototil of the protocol and
all the associated storage duplication is worth the effort. It's better
in my mind to commit one of the patches to sandbox gzip with Capsicum
which will protect from everything except filling the disk by denying
gunzip the ability to do anything but write to the file opened by the
script. That will protect all gzip users.
> 3. Both portsnap and freebsd-update are vulnerable to freeze attacks.
What do you mean by a freeze attack? I'm not familiar with this term
and I didn't find this post, the PRs, or a quick Google search illuminating.
-- Brooks
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 326 bytes
Desc: not available
URL: <http://lists.freebsd.org/pipermail/freebsd-security/attachments/20140410/c6a8db4b/attachment.sig>
More information about the freebsd-security
mailing list