Page 1 of 3 123 LastLast
Results 1 to 10 of 23

Thread: what happens with a faked repository

  1. #1
    Join Date
    Jul 2005
    Beans
    407

    what happens with a faked repository

    Hello,

    My question is about a certain scenario: Say I have connected to an unknown wireless or wired network using my ubuntu laptop. The DNS server ip addresses for this network have been set(by the owner of the network or by a malicious hacker) to point to a fake, malicious DNS server set up by that person. Now, I try to update my ubuntu system using the commands
    sudo apt-get update
    sudo apt-get dist-upgrade
    sudo apt-get dselect-upgrade

    Now, the fake DNS server directs one of the repositories(say us.archive.ubuntu.com or packages.medibuntu.org or some other repo) to a false, malicious ip address set up by that person where he has set up a fake, malicious repository. The upgrade process reports to me that there are software upgrades(updates) for my ubuntu system and I give my assent to install those upgrades(updates). So, the fake, malicious upgrades(updates) are installed on my ubuntu system and the malicious guy/hacker has managed to install malware/spyware/viruses on my ubuntu system. Is such a scenario possible?

  2. #2
    Join Date
    Nov 2008
    Location
    Metro Boston
    Beans
    8,115
    Distro
    Kubuntu Development Release

    Re: what happens with a faked repository

    Yes, it's possible but highly unlikely.

    If you're worried about this, pick a different repository server. I use one located at a nearby university. There are hundreds of options.
    If you ask for help, please have the courtesy to check for responses and thank the people who helped you.

    Blog · Linode System Administration Guides · Android Apps for Ubuntu Users

  3. #3
    Join Date
    Jan 2008
    Location
    Nappanee, IN
    Beans
    602
    Distro
    Xubuntu 12.04 Precise Pangolin

    Re: what happens with a faked repository

    Said malicious hacker would have to not just control the DNS, the repository would also have to fake the 'signatures' of the repositories and packages, which I believe have an AES two-part encryption.

  4. #4
    Join Date
    Nov 2008
    Location
    Metro Boston
    Beans
    8,115
    Distro
    Kubuntu Development Release

    Re: what happens with a faked repository

    You're right. I forgot entirely about package signing. I believe an effective compromise would require gaining access to Canonical's private key that is used to sign the packages. There was an event like this in 2008 when someone breached Fedora's signing server. While RedHat didn't believe the passphrase was compromised, they judiciously changed it anyway.
    Last edited by SeijiSensei; November 10th, 2012 at 11:34 AM.
    If you ask for help, please have the courtesy to check for responses and thank the people who helped you.

    Blog · Linode System Administration Guides · Android Apps for Ubuntu Users

  5. #5
    Join Date
    Mar 2011
    Beans
    664

    Re: what happens with a faked repository

    PGP would prevent this. They would need the private keys from the repository to sign their payloads, otherwise they'd send it over and the update would fail.

    Of course, certificates get stolen all the time, which is why I've said before that updates should be handled over HTTPS to prevent MITM attacks where the signatures have been stolen.

  6. #6
    Join Date
    Jan 2008
    Location
    Nappanee, IN
    Beans
    602
    Distro
    Xubuntu 12.04 Precise Pangolin

    Re: what happens with a faked repository

    @Hungry Man: I'm not sure how you would set up for an https:// connection to a local repository on a LAN. SSH, yes, but for https:// you would almost have to have a web server.

  7. #7
    Join Date
    Mar 2011
    Beans
    664

    Re: what happens with a faked repository

    Right now updates are handled through HTTP. All of the repos on the list are HTTP sites.

  8. #8
    Join Date
    Jan 2008
    Location
    USA
    Beans
    971
    Distro
    Ubuntu 12.04 Precise Pangolin

    Re: what happens with a faked repository

    Quote Originally Posted by SeijiSensei View Post
    Yes, it's possible but highly unlikely.
    No, it's not possible. The attacker would not have Ubuntu's repository signing key and the "update" would fail.
    Occam's Razor for computers: Viruses must never be postulated without necessity -- nevius

    My Blog

  9. #9
    Join Date
    Jan 2008
    Location
    Nappanee, IN
    Beans
    602
    Distro
    Xubuntu 12.04 Precise Pangolin

    Re: what happens with a faked repository

    Quote Originally Posted by Hungry Man View Post
    Right now updates are handled through HTTP. All of the repos on the list are HTTP sites.
    Actually that isn't quite correct. Some mirrors are ftp sites for both downloads and updates.

  10. #10
    Join Date
    Jul 2005
    Beans
    407

    Re: what happens with a faked repository

    Hello,

    From what I understand, you are saying that the scenario I mentioned won't happen because the fake packages won't have the correct signatures, right? If the signatures don't match, what happens? Does apt give me a warning or something? Or does it give an error message and exit?

Page 1 of 3 123 LastLast

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •