Bug#788634: debian-installer: Accepting a preseed URL from DHCP allows attacker to hijack installation
On 16 June 2015 at 10:37, Wouter Verhelst <wouter@debian.org> wrote:
>
> But if you boot off CD-ROM or USB or some such? Then the situation is
> much different. While I agree that having preseeding in that case can be
> useful, I can also understand the POV that the system *defaulting* to
> using such a preseed file is a bad idea.
>
This is the crux of my issue. I agree that an amount of preseeding is
insecure by nature - it's pointless to secure a PXE-booted system -
but I also think that it is reasonable for an end user, who does not
know or care about preseeding, to believe that installation is safe on
a hostile network, particularly because apt is so careful about
verifying signatures (albeit of data that crossed the entire
internet).
If, as Geert Stappers says, more users use this (reasonably obscure?)
feature than are concerned with the security implications of it, then
as an absolute minimum, adding a commandline arg to disable it would
allow security-minded users to install in hostile networks without
possibility of compromise.
I still feel that this is insufficient, though, because the average
end-user will end up having their system compromised (possibly by one
of the notoriously-insecure home internet gateways that seem to be
popular these days). It's my opinion that feature in question should
be disabled by default, and opt-in with a commandline argument. I've
written a simple patch to implement this (see below). It adds a dialog
that is shown only when a preseed URL is provided via DHCP, and is can
be suppressed (ie, restores the current behaviour of silently
accepting) with the kernel commandline
"preseed/accept_preseed_from_DHCP=true".
For anyone who feels similarly to me, I have built an install CD with
a patched d-i, which I intend to maintain as a fork of the original
d-i project. I have limited resources, however, so I've only built for
jessie on amd64 right now - I hope to add support for more versions
and architectures at some point in the future, but would appreciate
the help of someone more experienced with d-i (or even debian
development!) if possible. My blog post about it is at
https://strange.systems/debian-installer-insecurity .
My patch against 20150422+deb8u1 (please note: I've never submitted to
the Debian project before, so please let me know if I've done anything
wrong here):
diff -ur old/DEBIAN/postinst new/DEBIAN/postinst
--- old/DEBIAN/postinst 2014-09-24 06:16:34.000000000 +0100
+++ new/DEBIAN/postinst 2015-06-15 01:31:43.884000000 +0100
@@ -11,7 +11,13 @@
dhcp_url=$(dhcp_preseed_url)
if [ -n "$dhcp_url" ]; then
- preseed_location "$dhcp_url"
+ db_input critical preseed/accept_preseed_from_DHCP || true
+ db_go
+ db_get preseed/accept_preseed_from_DHCP
+ use_dhcp_url=$RET
+ if [ "$use_dhcp_url" == "true" ]; then
+ preseed_location "$dhcp_url"
+ fi
fi
preseed preseed/url
preseed_command preseed/early_command
diff -ur old/DEBIAN/templates new/DEBIAN/templates
--- old/DEBIAN/templates 2014-09-24 06:16:33.000000000 +0100
+++ new/DEBIAN/templates 2015-06-15 01:24:27.396000000 +0100
@@ -1048,3 +1048,13 @@
Default: d-i/jessie/./preseed.cfg
Description: for internal use; can be preseeded
Path added to local server to give the preseed root
+
+Template: preseed/accept_preseed_from_DHCP
+Type: boolean
+Default: false
+Description: Should we accept a preseed URL from a DHCP server?
+ Your DHCP server has provided extra commands or customisations to
+ debian-installer. It is possible that these commands were sent by
+ your network administrator; however, it is impossible to verify
+ this, or to ensure they have not been altered by an attacker who
+ already has access to your local network.
Template: debian-installer/network-preseed/title
I've sent this mail to the bugtracker (in addition to the l.d.o. list)
since it contains a patch. I hope this is the correct behaviour.
Reply to: