Received: by 2002:ab2:1689:0:b0:1f7:5705:b850 with SMTP id d9csp1914390lqa; Tue, 30 Apr 2024 03:10:16 -0700 (PDT) X-Forwarded-Encrypted: i=2; AJvYcCXZLpoByAG91iWSIfM8LbRiOEwJM+WJFH0F8lnA9VZ+UokpQvta76km7E5KbA3yuX0vcikKc5ycfLXC3bnyRPJukDoGYnD/ulS8AuwNHA== X-Google-Smtp-Source: AGHT+IEMyW3rqYDRw+NKZ1SvEdkWph4ajQrvHZRNCB+sv5OOF5kWR/CBQy1RCPRZiaWghuSx1nR/ X-Received: by 2002:ac2:4989:0:b0:51b:528e:ce7d with SMTP id f9-20020ac24989000000b0051b528ece7dmr10280013lfl.34.1714471816622; Tue, 30 Apr 2024 03:10:16 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1714471816; cv=none; d=google.com; s=arc-20160816; b=fOVDSceVFGRDQranSGS386KNLoQTtz+G2jI9oRsr/VsxIrq9ED0nB0cSZFys6E1wyI 9ziorU5WUCg2o2dQs36hL0VuEARx8OtBdSg77Tr99zF4mtldlKTIVigbFmvyDiyxppfP GWmx9k/xofjO9r08QP2vF2FcinbsOMDOFJcgst2G4TPjqVz7WiH4YXmZC8ZFVm9588p1 0N2XEYY8JZletnOn6Ntjii7baBqW5oh2PSfkIsawMRUBWy6WN/+SOpWo4bjof4tRyqgS WCU3FA1aBPylmbwkzNXU37+Bu4EYy5aVXgZwu9uWyx8FT4NbUyz/ib7I8Py/LpZZxRa3 V5Mg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=subject:content-transfer-encoding:in-reply-to:references:cc:to :mime-version:user-agent:from:date:message-id:dkim-signature :delivered-to:delivered-to:reply-to:list-id:list-subscribe :list-unsubscribe:list-help:list-post:precedence:mailing-list; bh=I76QLUmVuF+JGgqA/ojBE7uV7vF+Q0jnE5fXZXqcCm4=; fh=uUbSjOhGtvDKn9tD9y3Cvadd0Tgw40l4QfnTLpkKowY=; b=tMqOWnHYQZxD9fzvKHc4+rULgSaFVRoS0NJTc6fR7oTmZVyDfnOXlO6JH9zR0n0IJ4 4mC1dC7RZFRF1LI6l0yD2IREp7WD4lQMOw8sjnGcvJS2pJgntCCFkXeqmFEN2QRRKgrL uzj9g1BxWRoCdijw5F6CXUgjI54E5cmIG41ILOJvTAz8xYMeg8aD8pjlFVjZtYnb/2Vl gjtaB1F4CY1GuYOwEtADPRkPeUG6gjnbZW8uEhxoBW4C00IYc+M5tyOGZ6gwdVAGu+2S ALt0j18Gf1l5dPQqwcFxPxJ9aXsD98TCByIGP0QozAQeDgNFOz8toRlzzaSRDGSNhi4j kP/w==; dara=google.com ARC-Authentication-Results: i=1; mx.google.com; dkim=fail header.i=@gmail.com header.s=20230601 header.b=nHig0oR7; spf=pass (google.com: domain of oss-security-return-30100-linux.lists.archive=gmail.com@lists.openwall.com designates 193.110.157.125 as permitted sender) smtp.mailfrom="oss-security-return-30100-linux.lists.archive=gmail.com@lists.openwall.com"; dmarc=fail (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com Return-Path: Received: from second.openwall.net (second.openwall.net. [193.110.157.125]) by mx.google.com with SMTP id ne40-20020a1709077ba800b00a55b135886bsi11390469ejc.100.2024.04.30.03.10.16 for ; Tue, 30 Apr 2024 03:10:16 -0700 (PDT) Received-SPF: pass (google.com: domain of oss-security-return-30100-linux.lists.archive=gmail.com@lists.openwall.com designates 193.110.157.125 as permitted sender) client-ip=193.110.157.125; Authentication-Results: mx.google.com; dkim=fail header.i=@gmail.com header.s=20230601 header.b=nHig0oR7; spf=pass (google.com: domain of oss-security-return-30100-linux.lists.archive=gmail.com@lists.openwall.com designates 193.110.157.125 as permitted sender) smtp.mailfrom="oss-security-return-30100-linux.lists.archive=gmail.com@lists.openwall.com"; dmarc=fail (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com Received: (qmail 24438 invoked by uid 550); 30 Apr 2024 10:09:58 -0000 Mailing-List: contact oss-security-help@lists.openwall.com; run by ezmlm Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-ID: Reply-To: oss-security@lists.openwall.com Delivered-To: mailing list oss-security@lists.openwall.com Delivered-To: moderator for oss-security@lists.openwall.com Received: (qmail 13916 invoked from network); 30 Apr 2024 00:31:56 -0000 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1714437108; x=1715041908; darn=lists.openwall.com; h=content-transfer-encoding:in-reply-to:references:subject:cc:to :mime-version:user-agent:reply-to:from:date:message-id:from:to:cc :subject:date:message-id:reply-to; bh=I76QLUmVuF+JGgqA/ojBE7uV7vF+Q0jnE5fXZXqcCm4=; b=nHig0oR7YgG6YYPlXfFO4sRcSJyq95YvP54lgXNZeJjLOyO+egit9s6L/7ReodMgI3 rc2Z7q4vGzb77UIErc/zz7BS/mCUv8F9h6drn3rmWoAwi4OUbPPPfbRxoD3P5MqZWuid V5u/+JLJA7uvNr2s0nxXZHiB8fgqNGQyvDp7OX0uBNpr8h20/Zk8IHQ6E/AlrwuByQw+ 2gtJoj9lbeTRADh/pp47GHdhgXLgITw8IcQDYL1E7nQFVye6UAW4Df4+Kqq9MLYkC5Og Rn2jfxGKFavql6zv1WjIgMPz8yUNuyCVoIu2xnUAa06RaoTkDRljn7cJKgLO5FUZwO+A S+Eg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1714437108; x=1715041908; h=content-transfer-encoding:in-reply-to:references:subject:cc:to :mime-version:user-agent:reply-to:from:date:message-id :x-gm-message-state:from:to:cc:subject:date:message-id:reply-to; bh=I76QLUmVuF+JGgqA/ojBE7uV7vF+Q0jnE5fXZXqcCm4=; b=hzPGT2Tx9yJtslYeFlmL/k8OxV5ng+1jxP0lmya2ZyZ1MvORY/VelwGFz89Enx3BIP a338D0uOhVtmP3zL/yWjH5D+RJSzD+o/wNfYbKyqctxWrqGZh6e2Xi/ABCUKWfaAMGcl f3TUFvGWhOYRAQ4VQfzjcaJPesFEEXuaeuJyNJSQaBbJIOyCOzY5ht7b5zbNx+jHHG8y Y9ptz1Fi48g5Ro79iJzvhhkYZnFyt5kqFCoiW70kvbu6UeG1yLmJl9h+SCKUqHgkqNiq k2BV14XdZUNOJBJNRzRdNme7ykEw2OVsA/TH1i5JwuQ0xu0dab7BUCRrgZdd86ERiJ0M kw1w== X-Gm-Message-State: AOJu0Yx4U6+TF1+K3RJeZL6x4ndj5QWf+j2ZqhpLGPLjJMGAPDCHR8Iw I307UO1DRp1eaEmuFPkdUHG7Hd/HjH5SP+UpsBfl6iRE933LyraZ X-Received: by 2002:a4a:5ac4:0:b0:5ac:bdbe:10fd with SMTP id v187-20020a4a5ac4000000b005acbdbe10fdmr10289307ooa.9.1714437107985; Mon, 29 Apr 2024 17:31:47 -0700 (PDT) Message-ID: <66303BF2.2070502@gmail.com> Date: Mon, 29 Apr 2024 19:31:46 -0500 From: Jacob Bachmeyer User-Agent: Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.8.1.22) Gecko/20090807 MultiZilla/1.8.3.4e SeaMonkey/1.1.17 Mnenhy/0.7.6.0 MIME-Version: 1.0 To: Vegard Nossum CC: oss-security@lists.openwall.com, Hank Leininger References: <20240427234834.c0219029-fe37-49ef-a563-4d24eea118c2@korelogic.com> In-Reply-To: Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 7bit Subject: Re: [oss-security] Update on the distro-backdoor-scanner effort Vegard Nossum wrote: > [...] > Hi, > > Masquerading a shell command as a pkg-config variable definition is > trivial (but probably still detectable) since you can just do: > > foobar=/usr echo hi > > which AFAIK is a valid pkg-config variable definition but also a valid > shell command. You are correct, but making this a little bit harder for an attacker is still an improvement. Perhaps pkg-config variable values should be required to be in quotes if they contain spaces? The bigger issue is accepting an *-uninstalled.pc in a system directory, which means that it actually *has* been installed. That logic error allowed your backdoor to override the real libelf.pc without producing a file conflict that the package manager could detect. > Also remember that in my particular example I reused the same file but > it would also be trivial to use a different file in the $(...) expansion > so that the payload actually lives somewhere else. Agreed, but adding another file to the backdoor increases the chance of the attacker getting caught. > The payload doesn't > even have to be a shell script, it could also be a small ELF binary or > something where you wouldn't necessarily be able to tell at a glance > that it does something malicious. Also correct, in fact, for a package that actually installs executables, a bit of extra code in an otherwise legitimate binary to detect when the grandparent is make(1) and drop a backdoor could very likely go unnoticed. (This would be the rogue or compromised distribution packager scenario, where the binaries distributed do not match the sources.) -- Jacob