Bug#283377: RC2 install report on Dell SC420, security issue with network-console udeb "installer" user not being removed
Package: installation-reports
INSTALL REPORT
Debian-installer-version:
RC2 netinstall image for i386, downloaded from
http://cdimage.debian.org/pub/cdimage-testing/sarge_d-i/i386/rc2/sarge-i386-netinst.iso
on 20041126
uname -a:
Linux chloe 2.6.8-1-386 #1 Thu Nov 25 04:24:08 UTC 2004 i686 GNU/Linux
Date:
20041126, ~23:00 UTC
Method:
Burnt the netinstall image to CD, using the "expert26" boot parameter.
Apt sources were unstable over HTTP from mirrors.kernel.org and
ftp.debian.org (no proxy).
Machine: Dell PowerEdge SC420
Processor: 2.8GHz Pentium 4
Memory: 256MB DDR2-400 SDRAM
Root Device: 160GB SATA drive (/dev/sda2)
Root Size/partition table:
sda1 Primary Dell Utility 57.58
sda2 Boot Primary Linux ext3 [/] 39983.09
sda3 Primary Linux ext3 39999.54
sda5 Logical Linux swap / Solaris 1003.49
Debian was installed to /dev/sda2; /dev/sda3 is currently formatted
but unmounted and unused.
Output of lspci and lspci -n:
Note: I took the Aureal Vortex sound card out of another machine; it
didn't come with the SC420 (but it does work nicely in Debian).
lspci:
------
0000:00:00.0 Host bridge: Intel Corp. Server Memory Controller Hub (rev 04)
0000:00:01.0 PCI bridge: Intel Corp. Server Memory Controller Hub PCI
Express Port (rev 04)
0000:00:02.0 VGA compatible controller: Intel Corp. Graphics Controller (rev 04)
0000:00:1c.0 PCI bridge: Intel Corp. 82801FB/FBM/FR/FW/FRW (ICH6
Family) PCI Express Port 1 (rev 03)
0000:00:1c.1 PCI bridge: Intel Corp. 82801FB/FBM/FR/FW/FRW (ICH6
Family) PCI Express Port 2 (rev 03)
0000:00:1d.0 USB Controller: Intel Corp. 82801FB/FBM/FR/FW/FRW (ICH6
Family) USB UHCI #1 (rev 03)
0000:00:1d.1 USB Controller: Intel Corp. 82801FB/FBM/FR/FW/FRW (ICH6
Family) USB UHCI #2 (rev 03)
0000:00:1d.2 USB Controller: Intel Corp. 82801FB/FBM/FR/FW/FRW (ICH6
Family) USB UHCI #3 (rev 03)
0000:00:1d.3 USB Controller: Intel Corp. 82801FB/FBM/FR/FW/FRW (ICH6
Family) USB UHCI #4 (rev 03)
0000:00:1d.7 USB Controller: Intel Corp. 82801FB/FBM/FR/FW/FRW (ICH6
Family) USB2 EHCI Controller (rev 03)
0000:00:1e.0 PCI bridge: Intel Corp. 82801 PCI Bridge (rev d3)
0000:00:1f.0 ISA bridge: Intel Corp. 82801FB/FR (ICH6/ICH6R) LPC
Interface Bridge (rev 03)
0000:00:1f.1 IDE interface: Intel Corp. 82801FB/FBM/FR/FW/FRW (ICH6
Family) IDE Controller (rev 03)
0000:00:1f.2 IDE interface: Intel Corp. 82801FR/FRW (ICH6R/ICH6RW)
SATA Controller (rev 03)
0000:00:1f.3 SMBus: Intel Corp. 82801FB/FBM/FR/FW/FRW (ICH6 Family)
SMBus Controller (rev 03)
0000:02:00.0 Ethernet controller: Broadcom Corporation NetXtreme
BCM5751 Gigabit Ethernet PCI Express (rev 01)
0000:04:02.0 Multimedia audio controller: Aureal Semiconductor Vortex 2 (rev fe)
lspci -n:
---------
0000:00:00.0 0600: 8086:2588 (rev 04)
0000:00:01.0 0604: 8086:2589 (rev 04)
0000:00:02.0 0300: 8086:258a (rev 04)
0000:00:1c.0 0604: 8086:2660 (rev 03)
0000:00:1c.1 0604: 8086:2662 (rev 03)
0000:00:1d.0 0c03: 8086:2658 (rev 03)
0000:00:1d.1 0c03: 8086:2659 (rev 03)
0000:00:1d.2 0c03: 8086:265a (rev 03)
0000:00:1d.3 0c03: 8086:265b (rev 03)
0000:00:1d.7 0c03: 8086:265c (rev 03)
0000:00:1e.0 0604: 8086:244e (rev d3)
0000:00:1f.0 0601: 8086:2640 (rev 03)
0000:00:1f.1 0101: 8086:266f (rev 03)
0000:00:1f.2 0101: 8086:2652 (rev 03)
0000:00:1f.3 0c05: 8086:266a (rev 03)
0000:02:00.0 0200: 14e4:1677 (rev 01)
0000:04:02.0 0401: 12eb:0002 (rev fe)
Base System Installation Checklist:
[O] = OK, [E] = Error (please elaborate below), [ ] = didn't try it
Initial boot worked: [O]
Configure network HW: [O]
Config network: [O]
Detect CD: [O]
Load installer modules: [O]
Detect hard drives: [O]
Partition hard drives: [O]
Create file systems: [O]
Mount partitions: [O]
Install base system: [O]
Install boot loader: [O]
Reboot: [E]
Comments/Problems:
Error with reboot was http://bugs.debian.org/277298. This problem is
fixed in the latest 2.6.8 kernel package in the unstable tree
(kernel-image-2.6.8-1-386_2.6.8-10_i386.deb).
A more bothersome (security-related) problem is that when the
network-console udeb is loaded and used to remotely access the install
process via SSH, the "installer" user isn't deleted from the system at
the end of the install process.
Here's what I did:
- Booted from the RC2 netinstall CD for i386 with the expert26 boot option
- Loaded the "network-console" udeb so that I would be able to SSH
into the installer
- When I was given the option to "Continue installation remotely using
SSH", I set a password for the installer user and then used it to SSH
in from another machine.
The screen where you set the "installer" user's password says, "This
password is used only by the Debian installer, and will be discarded
once you finish the installation." However, this is not the case -
this user persists after completion of the install and rebooting, etc.
>From /etc/passwd:
installer:x:0:0:installer:/:/usr/sbin/base-config-network-console
>From /etc/shadow (password is 'password'):
installer:$1$.a.mY5c.$rUQXKaPfTgLhzLOTpY3sZ.:1:0:99999:7:::
Although this is mitigated by the fact that
/usr/sbin/base-config-network-console doesn't exist after the install,
an attacker that has gained root via privilege escalation or
exploiting a privileged daemon can just create a symlink from
/usr/sbin/base-config-network-console to /bin/bash. The "installer"
user's password is most likely easier to crack than the root password,
since the administrator has been told that the installer user will not
persist. Since the default configuration of the Debian ssh package
includes "PermitRootLogin yes", the attacker can crack the weaker
"installer" password, create the symlink, and thus gain remote root
access via SSH. The administrator probably won't even realize that
this account exists, and this will also slip past file integrity
checkers watching /etc/passwd and /etc/shadow since modifying these
files is unnecessary if the "installer" password can be cracked.
Thanks,
- Colleen
Reply to: