Bug#442180: d-i preseed method allows for remote cmd exec. in combination with DNS hijacking

To: Debian Bug Tracking System <submit@bugs.debian.org>
Cc: Debian Security Team <team@security.debian.org>
Subject: Bug#442180: d-i preseed method allows for remote cmd exec. in combination with DNS hijacking
From: Moritz Naumann <bugs.debian.org@moritz-naumann.com>
Date: Thu, 13 Sep 2007 23:00:23 +0200
Message-id: <[🔎] 46E9A4E7.9060209@moritz-naumann.com>
Reply-to: Moritz Naumann <bugs.debian.org@moritz-naumann.com>, 442180@bugs.debian.org

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Package: win32-loader
Version: 0.6.0~pre3
Severity: critical
Tags: security
Justification: root security hole

The default boot option used by this package contains the following:
preseed/url=http://goodbye-microsoft.com/runtime/preseed.cfg

As seen when inspecting the document available at this URL this boot
option is used to run a given command by the time of the installation
of Debian GNU/Linux. The command to be run (as root) is retrieved from
the document available at the given URL.

If an attcker is able to hijack or otherwise influence the DNS server
used when Debian GNU/Linux is installed using win32-loader, she may be
able to run any command that is available on the system to be installed
as root by redirecting requests to a different web server which provides
a given arbitrary command at the same URL.

On a side note, a default setting making users take part in a statistic
analysis and gathering users' requests in a single location can be
considered a privacy risk or issue. (This is the same for suggesting to
install Firefox with the Google toolbar but that's a complete different
story.)

I'm looking forward to see this software mature (even further).

Moritz
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)

iD8DBQFG6aTmn6GkvSd/BgwRCk7RAJ0etU8gzz8Pg68WpPFiEzz39XkrEACfSm9Q
GNLRj5k8J4PDtuP+vttJ/hg=
=0zuX
-----END PGP SIGNATURE-----

Reply to:

Follow-Ups:
- Bug#442180: d-i preseed method allows for remote cmd exec. in combination with DNS hijacking
  - From: Otavio Salvador <otavio@debian.org>
- Bug#442180: d-i preseed method allows for remote cmd exec. in combination with DNS hijacking
  - From: Joey Hess <joeyh@debian.org>
- Re: Bug#442180: d-i preseed method allows for remote cmd exec. in combination with DNS hijacking
  - From: Robert Millan <rmh@aybabtu.com>

Prev by Date: Bug#422088: [Patch] wish preseed_fetch could distinguish between non-existance of a requested file and other failures to fetch file.
Next by Date: Bug#422088: [Patch] wish preseed_fetch could distinguish between non-existance of a requested file and other failures to fetch file.
Previous by thread: Bug#422088: [Patch] wish preseed_fetch could distinguish between non-existance of a requested file and other failures to fetch file.
Next by thread: Bug#442180: d-i preseed method allows for remote cmd exec. in combination with DNS hijacking
Index(es):
- Date
- Thread