Bug#945911: APT leaks repository credentials
Control: tag -1 moreinfo
On Sat, Nov 30, 2019 at 10:36:29PM +0100, Florian Zumbiehl wrote:
> Package: apt
> Version: 1.8.2
> Severity: critical
>
> APT now promotes using auth.conf to store repository credentials.
> Unfortunately, the way these credentials are handled causes a confused
> deputy style problem:
>
> The credentials to transmit for a request are selected not based on the
> host name specified in the sources.list, but rather based on the URI that
> is being requested. Thus, any repository server that APT ever makes an
> HTTP(S) request to can issue an HTTP redirect to any URI that points to any
> of the (other) servers for which credentials are stored in the auth.conf
> file, and APT will then send those credentials to whatever endpoint that is
> specified as the redirection target URI.
Yes, and why please tell, should that be a problem? That's how stuff
works. If I requests https://a/b/c and it redirects me to https://x/y/z,
I need login details for x/y/z to login.
Saying we should send the credentials for a/b/c to x/y/z does not make
a whole lot of sense.
This also assumes that you have access to the a/b/c server _and_ the
x/y/z server.
>
> Examples for how this could be exploited are:
>
> - The redirect could point to a different port on the server than where the
> repository is hosted, possibly an unprivileged port where an attacker on
> that server could be listening to receive the credentials.
I don't understand. FWIW; credentials can be limited by port, and path.
>
> - The redirect could point to an HTTP URI to expose the credentials as
> plain text on the wire, even where the sources.list entries for the
> respective server point only to HTTPS URIs to protect from eavesdroppers.
HTTPS->HTTP redirects are not allowed.
>
> - The redirect could point to an existing resource in the repository the
> credentials are actually meant for in order to make APT download that
> resource and then use it in a context it wasn't meant for, thus
> potentially leaking contents of the password-protected repository.
I don't understand.
--
debian developer - deb.li/jak | jak-linux.org - free software dev
ubuntu core developer i speak de, en
Reply to: