Re: Exploit in Upgrade Chain?

On Thu, Feb 12, 2009 at 8:50 PM, Stan Katz <stan.katz.hk@gmail.com> wrote:

When I first experienced "promiscuous" escalation of etc mode from 755 to 600 (at least 8 to 10 years ago) I hunted down a reference by someone that this could happen if the lpd daemon was compromised. I stopped using lpd, and rebuilt my system. That system then worked fine until it was junked. When both of my current systems experienced this deja vue, I was quite astounded. Why me? Anyway, I logged into my AMD64 in recovery mode, and began to exit out just about every service script in init.d I felt I could get away without. The mode changing stopped. I then painfully began reenabling scripts, and rebooting, until the mode on etc escalated. Unless this is a very clever exploit, it seems the problem is limited to samba. I haven't had a mode escalation problem, either from reboots, or just power on time since stopping samba on both machines.

Either I'm doing something to cause gross misbehavior in samba, there is a bug in samba, or, taking the path of paranoia, someone along the samba source chain might be a sabateur. I'll start with the first proposition. My first symptom was the "i have no name" prompts in my xterms when whoami failed. There is a lot of that going on out there on the net, but no one every mentions as a possible cause, an overescalated mode on etc. I'll be ripping my samba out, and replacing it with a surgical install via dpkg from the Debian main site. We'll see....

On Thu, Feb 12, 2009 at 3:11 PM, The Well - Systems Administrator <sysadmin@thewellpoway.org> wrote:

600 on /etc is technically more secure than the default 755 with normal POSIX systems, not less. If this is an exploit, it's one that locks things down tighter than they should normally be. :) Giacomo is correct that these incorrect perms can cause other issues, though not security related ones that I can think of.

Are there a different set of perms you had set on /etc manually? Any other indication that you've been exploited, or just a hunch based on circumstantial weirdness based on unexpected /etc privs and bastille?

Best regards,
-Chris

Boyd Stephen Smith Jr. wrote:

On Wednesday 11 February 2009 23:26:45 Stan Katz wrote:

I updated/upgraded both my AMD64 and AMD k6 "Etch" machines between Feb
10-11, 2009 using "Lenny" test. Both picked up a symptom I haven't seen
since the lpd exploit of the 1990's. This symptom manifests itself as
either a random escalation of the etc directory mode up to 600, or a
consistent escalation to mode 600 upon reboot.

My /etc is mode 755. Why would that be a problem? Some user/programs may need to read data out of the directory and root (the owner of my /etc) certainly needs write permissions.

I don't remember why the lpd
exploit did this. If this is an exploit, it shakes my confidence in debian
online updating.

I don't see how a 600 /etc can be exploited. Do you have any other records that would indicate you are exploited, or is this just fear-mongering?

Also, the Bastille firewall on the
AMD64 began locking down port 80 after about 10min of operation. Adding 80
to all interfaces didn't help. Only shutting down Bastille cleared the
block.

Sounds like a bug in Bastille. Can you reproduce reliably? Have you checked your configuration? If both, has you filed a bug yet?

I fear this is another indication of the exploit.

How/Why would these be related?

Has anyone else experienced this misbehavior after an upgrade?

Not here. I've been running Lenny for a number of months.

Any
suggestions, other than a complete disk wipe on both machines? In any case,
where would I go for a trusted rebuild, if there truly is a sabateur in the
ranks of the Debian maintainers?

I'm forwarding to debian-security; perhaps they will have suggestions. This topic is more appropriate for that list than debian-user anyway.