Bug#442180: d-i preseed method allows for remote cmd exec. in combination with DNS hijacking
severity 442180 wishlist
retitle 442180 make the network mode work securely
It should be noted that this bug applies only to the customized build used in
http://goodbye-microsoft.com/, and not to the version of win32-loader in Debian
(where network shouldn't be used at all). Nevertheless I'd like to use the BTS
facilities to track this kind of things, since it still applies to the source
code of win32-loader even if not used in debian CDs.
On Thu, Sep 13, 2007 at 08:24:41PM -0400, Joey Hess wrote:
> Moritz Naumann wrote:
> > The default boot option used by this package contains the following:
> > preseed/url=http://goodbye-microsoft.com/runtime/preseed.cfg
> There is a compile time option (NETWORK_BASE_URL) that can enable this,
> and maybe it's enabled on the goodbye-microsoft.com version (didn't check),
> but that is not a Debian website. The option is not used in the version
> of win32-loader included in Debian.
> BTW, if you can use DNS hijacking to sppof
> http://goodbye-microsoft.com/runtime/preseed.cfg , it may be easier to
> simply spoof http://goodbye-microsoft.com/pub/debian.exe . Then you can
> use a platform that is demonstrabably suburb at running virii and
> botnets. :-)
> (d-i preseeding does support specifying the md5sums of preseed files.)
As Joey pointed out, the whole process is inherently insecure. It should
come at no surprise, you can see that as soon as you see http:// instead of
https:// and Windows starts complaining about unsigned executables.
I would welcome a complete  solution to make this process secure (well, as
much as it can be, since you can't escape trusting Microsoft code), provided
that the "solution" doesn't involve me paying $1000/year for an SSL website+code
certificate. This can either mean SPI sponsorship, a yearly donation or
(PREFERRABLY) a patch for win32-loader to use a saner  scheme such as gnupg.
 as it stands now, fixing specific problems without getting the whole trust
chain to work is rather pointless
<GPLv2> I know my rights; I want my phone call!
<DRM> What use is a phone call, if you are unable to speak?
(as seen on /.)