[Pkg-sysvinit-devel] Bug#517018: debian-installer: no-root option in expert installer exposes locally exploitable security flaw

Philip Hands phil at hands.com
Wed Feb 25 10:57:25 UTC 2009 

On Wed, Feb 25, 2009 at 12:02:58AM -0500, Michael Gilbert wrote:
> package: debian-installer
> severity: important
> tags: security
> 
> there is now an option in the expert mode of the debian-installer that
> allows the user to install their system without a root account
> (replacing it with sudo priviledges for the default user). this exposes
> a loophole that enables local attackers to easily obtain root access.
> 
> details: 
> 
> since there is no root password set up during installation, a local
> attacker can simply boot into the root account (without being prompted
> for a password) via single user mode ("single" kernel option). then,
> he/she can do all kinds of malicious things, but the easiest would be
> to simply change the root password...thus owning the machine.  and
> since the user never logs in with the root password him/herself,
> he/she would never realize that an attacker had gotten in (unless
> he/she diligently reviews logs). [1] discusses the details of the
> method for password recovery, but the same can be used for malicious
> purposes, of course.

How is this different from booting with init=/bin/sh ?

If you have physical access to a machine, all security bets are off.

The reason to have this sort of option in expert mode is that the values
can then be preseeded, so if you're deploying nodes in a cluster (that
is physically secure on a private LAN) you might well decide that having
machines in what might strike a normal user as insecure makes sense.

In this particular case, I'd say that this isn't a bug, especially since
it is an expert option, and the same expert might just as easily edit
/etc/shadow if they wanted to.  Also, given that one can achieve the same
effect with init=/bin/sh it's not even increasing exposure to risk.

I'm even willing to argue that having no valid root password ensures
that there are a load of password guessing attacks that are bound to
fail, which seems like a significant win (given the popularity of ssh
password brute-force attacks and the like).

Cheers, Phil.
-- 
|)|  Philip Hands [+44 (0)20 8530 9560]    http://www.hands.com/
|-|  HANDS.COM Ltd.                    http://www.uk.debian.org/
|(|  10 Onslow Gardens, South Woodford, London  E18 1NE  ENGLAND

More information about the Pkg-sysvinit-devel mailing list