Impact: An attacker can create RPM's that will appear to be legitimate to the administrator, once installed root access (or anything else) can easily be achieved.
Details: If an attacker can trick an administrator into installing an RPM checking the signature on the RPM can easily be subverted, thus the trojan'ed RPM is installed and the attacker can gain access.
Yes. Put this: chmod 777 / into the %post install section of an rpm and have it installed. A wonderful exploit. [snip]
packages". Getting the administrator to download trojan'ed packages is attainable by poisoning DNS, spoofing a site, or breaking into a major RPM ftp site.
yes, yes. Nothing new. The fact that software packaging nowadays depends on cryptographic methods opens up some problems if the admin is moron enough is nothing new. This has been here since the day when someone plugged a cable between two computers.
# chattr +i /root/.gnupg/pubring.gpg This will prevent accidental or casual insertion of new keys. If you have many keys in either keyring you should make sure to verify the fingerprint every time you check a package's signature.
You fail to mention that the immutable flag is a feature of the ext2 filesystem. reiserfs (which is included in SuSE distributions and which has proven to be very stable) doesn't have that flag. Besides, this breaks an update from a SuSE aaa_base rpm package (which isn't the package's fault), and it doesn't help since it only defeats symptomatic aspects of the whole problem.
Vendors that ship RPM update tools should use a separate keyring (instead of root's) for verifying RPM's that are downloaded.
This does not really make a difference.
Once the attacker can make the admin do silly things on the box, there are
easier ways to gain root access.
Roman.
--
- -
| Roman Drahtmüller