[Pkg-sysvinit-devel] Bug#517018: debian-installer: no-root option in expert installer exposes locally exploitable security flaw
Philip Hands
phil at hands.com
Wed Feb 25 10:57:25 UTC 2009
On Wed, Feb 25, 2009 at 12:02:58AM -0500, Michael Gilbert wrote:
> package: debian-installer
> severity: important
> tags: security
>
> there is now an option in the expert mode of the debian-installer that
> allows the user to install their system without a root account
> (replacing it with sudo priviledges for the default user). this exposes
> a loophole that enables local attackers to easily obtain root access.
>
> details:
>
> since there is no root password set up during installation, a local
> attacker can simply boot into the root account (without being prompted
> for a password) via single user mode ("single" kernel option). then,
> he/she can do all kinds of malicious things, but the easiest would be
> to simply change the root password...thus owning the machine. and
> since the user never logs in with the root password him/herself,
> he/she would never realize that an attacker had gotten in (unless
> he/she diligently reviews logs). [1] discusses the details of the
> method for password recovery, but the same can be used for malicious
> purposes, of course.
How is this different from booting with init=/bin/sh ?
If you have physical access to a machine, all security bets are off.
The reason to have this sort of option in expert mode is that the values
can then be preseeded, so if you're deploying nodes in a cluster (that
is physically secure on a private LAN) you might well decide that having
machines in what might strike a normal user as insecure makes sense.
In this particular case, I'd say that this isn't a bug, especially since
it is an expert option, and the same expert might just as easily edit
/etc/shadow if they wanted to. Also, given that one can achieve the same
effect with init=/bin/sh it's not even increasing exposure to risk.
I'm even willing to argue that having no valid root password ensures
that there are a load of password guessing attacks that are bound to
fail, which seems like a significant win (given the popularity of ssh
password brute-force attacks and the like).
Cheers, Phil.
--
|)| Philip Hands [+44 (0)20 8530 9560] http://www.hands.com/
|-| HANDS.COM Ltd. http://www.uk.debian.org/
|(| 10 Onslow Gardens, South Woodford, London E18 1NE ENGLAND
More information about the Pkg-sysvinit-devel
mailing list