Re: Warning Linux Mint Website Hacked and ISOs replaced with Backdoored Operating System
Hi,
an interesting detail in advance:
It does not boot from USB stick. Too dumb for that.
>From DVD it boots only via BIOS or EFI BIOS emulation, not via
generic EFI.
I wrote:
> > ... google ... Kim Schmitz ... rofl ... i am not that curious.
Andrew McGlashan wrote:
> Actually he doesn't run mega.nz any longer and he has said that he
> wouldn't trust the site now due to current ownership
Now is this what his public relations adviser told him to say ?
Sandboxing as good as possible ... iceweaseling with Javascript:
https://mega.nz/#!QwY1EZKJ!GW1gLzXaOUo8sNGF-zddRLwgsfamZy7C5u0CARjaUs0
Now it wants me to download a plugin.
My gutt feeling is that i am short before winning a Darwin Award.
New approach:
$ wget http://cdimage.debian.org/debian-cd/current-live/amd64/iso-hybrid/debian-live-8.3.0-amd64-xfce-desktop.iso
$ wget http://cdimage.debian.org/debian-cd/current-live/amd64/iso-hybrid/SHA512SUMS.sign
$ wget http://cdimage.debian.org/debian-cd/current-live/amd64/iso-hybrid/SHA512SUMS
$ gpg --verify SHA512SUMS.sign SHA512SUMS
gpg: Signature made Thu 28 Jan 2016 02:07:19 AM CET using RSA key ID 6294BE9B
gpg: Good signature from "Debian CD signing key <debian-cd@lists.debian.org>"
gpg: WARNING: This key is not certified with a trusted signature!
gpg: There is no indication that the signature belongs to the owner.
Well, my own key is not any better. To me this step is a ritual that
is applauded by people who are better informed than me. I consider
it more a social courtesy than a personal security feature.
$ x=$(grep debian-live-8.3.0-amd64-xfce-desktop.iso'$' SHA512SUMS)
$ echo "$x"
1cead0dfde971e0c70145f6c908cea067ee7ee067f5ca481f076db78d99a99088be76737af4e2c9569540208d6e841f758a568ca12db077fa327e323b5da3a04 debian-live-8.3.0-amd64-xfce-desktop.iso
$ y=$(sha512sum debian-live-8.3.0-amd64-xfce-desktop.iso)
$ echo $y
1cead0dfde971e0c70145f6c908cea067ee7ee067f5ca481f076db78d99a99088be76737af4e2c9569540208d6e841f758a568ca12db077fa327e323b5da3a04 debian-live-8.3.0-amd64-xfce-desktop.iso
$ test "$x" = "$y" && echo All is well
All is well
To the test machine ... iceweasel warns me duely that i am about
to shoot my foot ... now the plugin is at work. I just don't see any
file emerging in ~/Downloads.
That's really scary. Like an Android phone.
A large file emerges in ~/Desktop. (I am wearing my garlic necklace now,
spraying holy water, and looking up witch signs in the Malleus Maleficarum.)
Ok. It's downloaded and md5sum says 7d590864618866c225ede058f1ba61f0.
Copying it on a DVD, not as image but as data file inside an ISO.
So it cannot hop onto innocent machines just by being put into the
DVD drive.
Back on workstation ...
They used genisoimage:
$ xorriso -indev ...long.name...iso -pvd_info
...
Volume Id : Linux Mint 17.3 Rosa 64-bit
Volume Set Id:
Publisher Id :
Preparer Id :
App Id : GENISOIMAGE ISO 9660/HFS FILESYSTEM CREATOR (C) 1993 E.YOUNGDALE (C) 1997-2006 J.PEARSON/J.SCHILLING (C) 2006-2007 CDRKIT TEAM
System Id : LINUX
CopyrightFile:
Abstract File:
Biblio File :
Creation Time: 2016021909371600
Cr. Time Zone: -05:00
Modif. Time : 2016021909371600
Mo. Time Zone: -05:00
Expir. Time : 0000000000000000
Eff. Time : 2016021909371600
Ef. Time Zone: -05:00
The sequence of SUSP fields indicates that it was indeed made by
a mkisofs clone.
Now for the original
$ wget http://...mirror.../linuxmint-17.3-cinnamon-64bit.iso
$ md5sum linuxmint-17.3-cinnamon-64bit.iso
e71a2aad8b58605e906dbea444dc4983
This matches the MD5 on http://www.linuxmint.com/edition.php?id=204
$ xorriso -indev linuxmint-17.3-cinnamon-64bit.iso -pvd_info
...
Volume Id : Linux Mint 17.3 Cinnamon 64-bit
Volume Set Id:
Publisher Id : LINUX MINT
Preparer Id : LIVE-BUILD 3.0_A57-1
App Id :
System Id :
CopyrightFile:
Abstract File:
Biblio File :
Creation Time: 2015112815084800
Modif. Time : 2015112815084800
Expir. Time : 0000000000000000
Eff. Time : 0000000000000000
Ouch. They do not even have the same Volume Id (/dev/disk/by-label name).
The original was quite surely written by libisofs, probably under
control of xorriso. (Debian keeps my XORRISO branding in Preparer Id.)
Now for boot equipment:
$ xorriso -hfsplus on -indev ...iso -report_el_torito plain -report_system_area plain
...
Drive current: -indev 'compromised-linuxmint-17.3-cinnamon-64bit-7D590864618866C225EDE058F1BA61F0.iso'
...
El Torito catalog : 160 1
El Torito cat path : /isolinux/boot.cat
El Torito images : N Pltf B Emul Ld_seg Hdpt Ldsiz LBA
El Torito boot img : 1 BIOS y none 0x0000 0x00 4 161
El Torito img path : 1 /isolinux/isolinux.bin
El Torito img opts : 1 boot-info-table isohybrid-suitable
...
xorriso : NOTE : No System Area was loaded
That's not even an isohybrid. No EFI equipment present either.
(The criminal must have read the most outdated recipes for bootable ISOs.)
$ xorriso -hfsplus on -indev linuxmint-17.3-cinnamon-64bit.iso -report_el_torito plain -report_system_area plain
...
El Torito catalog : 155 1
El Torito cat path : /isolinux/boot.cat
El Torito images : N Pltf B Emul Ld_seg Hdpt Ldsiz LBA
El Torito boot img : 1 BIOS y none 0x0000 0x00 4 17931
El Torito boot img : 2 UEFI y none 0x0000 0x00 4544 769067
El Torito img path : 1 /isolinux/isolinux.bin
El Torito img opts : 1 boot-info-table isohybrid-suitable
El Torito img path : 2 /boot/grub/efi.img
System area options: 0x00000102
System area summary: MBR isohybrid cyl-align-on GPT APM
ISO image size/512 : 3088640
Partition offset : 0
MBR heads per cyl : 95
MBR secs per head : 32
MBR partition table: N Status Type Start Blocks
MBR partition : 1 0x80 0x00 0 3088640
MBR partition : 2 0x00 0xef 3076268 4544
MBR partition path : 2 /boot/grub/efi.img
GPT : N Info
GPT disk GUID : fd922d606736564a9037adde0476578c
GPT entry array : 12 208 overlapping
GPT lba range : 64 3088586 3088639
GPT partition name : 1 490053004f00480079006200720069006400
GPT partname local : 1 ISOHybrid
GPT partition GUID : 1 fd922d606736564a9035adde0476578c
GPT type GUID : 1 a2a0d0ebe5b9334487c068b6b72699c7
GPT partition flags: 1 0x1000000000000001
GPT start and size : 1 0 3088584
GPT partition name : 2 490053004f004800790062007200690064003100
GPT partname local : 2 ISOHybrid1
GPT partition GUID : 2 fd922d606736564a9034adde0476578c
GPT type GUID : 2 a2a0d0ebe5b9334487c068b6b72699c7
GPT partition flags: 2 0x1000000000000001
GPT start and size : 2 3076268 4544
GPT partition path : 2 /boot/grub/efi.img
APM : N Info
APM block size : 2048
APM gap fillers : 0
APM partition name : 1 EFI
APM partition type : 1 Apple_HFS
APM start and size : 1 769067 1136
APM partition path : 1 /boot/grub/efi.img
Yeah. That's how we learned it from Matthew Garrett.
(With some leanification in this case. Fedora Live CD has a HFS+
filesystem image as third El Torito and as additional partition
entry in the three partition maps.)
>From the viewpoint of my ivory tower i can confirm:
This attacker had no real clue about how to mimick a contemporary
installation ISO.
The fact that on the other hand the burglary was repeatedly successful,
gives me two theories:
- A script kiddy found a powerful intrusion program.
- An expert disguises as dumbnut. (For the fun of hearing the noise ?)
Have a nice day :)
Thomas
Reply to: