Shulou(Shulou.com)06/01 Report--

This article will explain in detail about the Linux package manager apt/apt-get remote code execution vulnerability early warning, the content of the article is of high quality, so the editor shares it for you to do a reference. I hope you will have a certain understanding of the relevant knowledge after reading this article.

0x00 vulnerability background

On January 22nd, 2019, @ Max Justicz published some details on the remote code execution of the debian package manager apt/apt-get. When installing or updating any software through APT, the default is HTTP instead of HTTPS. Attackers can hijack HTTP traffic through man-in-the-middle hijacking, and perfectly construct a legal installation package signature through redirection and the construction of related response headers, so as to bypass the judgment of APT local signature. Once the attack is triggered, the root privileges of the target server can be taken down.

360CERT judged that the vulnerability was seriously harmful and the impact area was limited. It is recommended that users who use the Debain distribution update the apt software or self-check the traffic on the server.

0x01 vulnerability details

When obtaining data, apt will fork the worker process for data transmission. The parent process communicates with these worker processes through stdin/stdout using a protocol similar to HTTP, telling them what to download and where to put the downloaded content on the file system. For example, when apt install cowsay fork / usr/lib/apt/methods/http, a 100 Capabilities message is returned:

100 Capabilities

Version: 1.2

Pipeline: true

Send-Config: true

The parent process sends its settings and requests a resource:

601 Configuration

Config-Item: APT::Architecture=amd64

Config-Item: APT::Build-Essential::=build-essential

Config-Item: APT::Install-Recommends=1

(... many more lines omitted...)

600 URI Acquire

URI: http://deb.debian.org/debian/pool/main/c/cowsay/cowsay_3.03+dfsg2-3_all.deb

Filename: / var/cache/apt/archives/partial/cowsay_3.03+dfsg2-3_all.deb

Expected-SHA256: 858d5116a60ba2acef9f30e08c057ab18b1bd6df5ca61c233b6b7492fbf6b831

Expected-MD5Sum: 27967ddb76b2c394a0714480b7072ab3

Expected-Checksum-FileSize: 20070

Then the response of the worker process looks like this:

102 Status

URI: http://deb.debian.org/debian/pool/main/c/cowsay/cowsay_3.03+dfsg2-3_all.deb

Message: Connecting to prod.debian.map.fastly.net

102 Status

URI: http://deb.debian.org/debian/pool/main/c/cowsay/cowsay_3.03+dfsg2-3_all.deb

Message: Connecting to prod.debian.map.fastly.net (2a04:4e42:8::204)

102 Status

URI: http://deb.debian.org/debian/pool/main/c/cowsay/cowsay_3.03+dfsg2-3_all.deb

Message: Waiting for headers

200 URI Start

URI: http://deb.debian.org/debian/pool/main/c/cowsay/cowsay_3.03+dfsg2-3_all.deb

Size: 20070

Last-Modified: Tue, 17 Jan 2017 18:05:21 + 0000

201 URI Done

URI: http://deb.debian.org/debian/pool/main/c/cowsay/cowsay_3.03+dfsg2-3_all.deb

Filename: / var/cache/apt/archives/partial/cowsay_3.03+dfsg2-3_all.deb

Size: 20070

Last-Modified: Tue, 17 Jan 2017 18:05:21 + 0000

MD5-Hash: 27967ddb76b2c394a0714480b7072ab3

MD5Sum-Hash: 27967ddb76b2c394a0714480b7072ab3

SHA256-Hash: 858d5116a60ba2acef9f30e08c057ab18b1bd6df5ca61c233b6b7492fbf6b831

Checksum-FileSize-Hash: 20070

When the HTTP server returns a redirect redirect, the worker process returns 103 Redirect instead of 201 URI Done, and the parent process uses this response to determine which resources should be requested next:

103 Redirect

URI: http://deb.debian.org/debian/pool/main/c/cowsay/cowsay_3.03+dfsg2-3_all.deb

New-URI: http://example.com/new-uri

The flaw lies in that after URL decoding of Location, it is directly appended to the 103Redirect response, resulting in injection.

/ / From methods/basehttp.cc

NextURI = DeQuoteString (Req.Location)

...

Redirect (NextURI)

/ / From apt-pkg/acquire-method.cc

Void pkgAcqMethod::Redirect (const string & NewURI)

{

Std::cout

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.