Re: Bug#442180: d-i preseed method allows for remote cmd exec. in combination with DNS hijacking
Btw, I'd like to point out that we're releasing official images for installing
Debian that don't include any signature and are hence vulnerable to DNS
spoofing, etc. Unfortunately my complains didn't draw much attention (perhaps
they weren't addressed at the right place?). Anyway, see #379129.
On Fri, Sep 14, 2007 at 08:28:59AM +0200, Robert Millan wrote:
> severity 442180 wishlist
> retitle 442180 make the network mode work securely
> It should be noted that this bug applies only to the customized build used in
> http://goodbye-microsoft.com/, and not to the version of win32-loader in Debian
> (where network shouldn't be used at all). Nevertheless I'd like to use the BTS
> facilities to track this kind of things, since it still applies to the source
> code of win32-loader even if not used in debian CDs.
> On Thu, Sep 13, 2007 at 08:24:41PM -0400, Joey Hess wrote:
> > Moritz Naumann wrote:
> > > The default boot option used by this package contains the following:
> > > preseed/url=http://goodbye-microsoft.com/runtime/preseed.cfg
> > There is a compile time option (NETWORK_BASE_URL) that can enable this,
> > and maybe it's enabled on the goodbye-microsoft.com version (didn't check),
> > but that is not a Debian website. The option is not used in the version
> > of win32-loader included in Debian.
> > BTW, if you can use DNS hijacking to sppof
> > http://goodbye-microsoft.com/runtime/preseed.cfg , it may be easier to
> > simply spoof http://goodbye-microsoft.com/pub/debian.exe . Then you can
> > use a platform that is demonstrabably suburb at running virii and
> > botnets. :-)
> > (d-i preseeding does support specifying the md5sums of preseed files.)
> As Joey pointed out, the whole process is inherently insecure. It should
> come at no surprise, you can see that as soon as you see http:// instead of
> https:// and Windows starts complaining about unsigned executables.
> I would welcome a complete  solution to make this process secure (well, as
> much as it can be, since you can't escape trusting Microsoft code), provided
> that the "solution" doesn't involve me paying $1000/year for an SSL website+code
> certificate. This can either mean SPI sponsorship, a yearly donation or
> (PREFERRABLY) a patch for win32-loader to use a saner  scheme such as gnupg.
>  as it stands now, fixing specific problems without getting the whole trust
> chain to work is rather pointless
>  http://kitenet.net/~joey/joeyca/
> Robert Millan
> <GPLv2> I know my rights; I want my phone call!
> <DRM> What use is a phone call, if you are unable to speak?
> (as seen on /.)
> To UNSUBSCRIBE, email to debian-boot-REQUEST@lists.debian.org
> with a subject of "unsubscribe". Trouble? Contact firstname.lastname@example.org
<GPLv2> I know my rights; I want my phone call!
<DRM> What use is a phone call, if you are unable to speak?
(as seen on /.)