Linux build in security flaws: repost from other forum

News and discussion about development of the Debian OS itself

Linux build in security flaws: repost from other forum

Postby Sun_Smile » 2021-03-27 15:50

Hello,

i would like to forward descriptions of Debian security flaws. Author of the comments is dmknght, one of the devs of one of Linux, Debian Like distributions : Parrot OS, which you perhaps heard about.

On the distro forum page, is a topic called "Linux insecurity. Opinions", which you can find under :
https://community.parrotsec.org/t/linux ... ions/18379


let me go forward and paste them here.
perhaps devs could find something interesting for them to implement to the new Debian 2021 distribution

Yes Linux has security problems by design. X11 server allows any process captures keyboard events of other processes that leads to keylogging (check Xspy).
The package installer of Debian, `dpkg` (i haven’t tested any other installers so i can’t say) can infect malicious scripts/ binaries as root permission silently.
Here is my walkthrough Infect target with .deb package 1.: https://community.parrotsec.org/t/infec ... kage/18112 In this case, MacOS has a feature that verify packages and warn users about untrusted packages so at least it has “something” and Debian has nothing.

This tool allows attackers dump passwords from RAM GitHub - huntergregal/mimipenguin:
A tool to dump the login password from the current linux user: https://github.com/huntergregal/mimipenguin
According to the Readme

A tool to dump the login password from the current linux desktop user. Adapted from the idea behind the popular Windows tool mimikatz. This was assigned CVE-2018-20781 (https://cve.mitre.org/cgi-bin/cvename.c ... 2018-20781). Fun fact it's still not fixed after GNOME Keyring 3.27.2 and still works as of 3.28.0.2-1ubuntu1.18.04.1.


On Linux, you have unknown interpreters and known interpreter could allow process to create reverse shell and pty shell.
For example expect command https://stackoverflow.com/a/45130404, `tsh shell`, … and you barely know about it or you don’t even know it is in your system.


For example, sudo could be a sink hole (idk if i am using this word correctly). Non-root users + daemon users + root users is always harder to get privs than daemon users + sudo users + root users.
Parrot OS has some preinstalled tools to protect privacy and encrypt data. encryptpad isn’t on the Debian repo, so does anonsurf and some tools are not preinstalled. But it also means there are more place for 0days could be exploited.
Debian doesn’t have much (more) preinstalled packages compare with Parrot. So, again, it has less attack surfaces.
Parrot could add some more hardening rules, sandbox solutions (again but more stable), or even preinstalled AV but security is an illusion. Nothing is perfect. (Yeah i’m still having an idea of create new open source AV).
Now is the super insecure point of Parrot, but that wasn’t Parrot team’s fault

1. This is command injection of `searchsploit`, exploitdb command to search. In real world, the attack impact is not so high but it is an example of all tools can have vulnerabilities and you dont know which has vulnerabilities in your system Command injection in exact search (version 4.1.3) ·
Issue #189 · offensive-security/exploitdb · GitHub https://github.com/offensive-security/e ... issues/189

2. Package Xspy, X11 keylogger is preinstalled in Security edition and it has EXECUTABLE PERMISSION AND ANY USER ON SYSTEM CAN EXECUTE IT. That means if you are attacked by any attacker that has daemon user, they can execute it and get yys after the last reply. New replies are no longer allowed.our user’s password. And i have to mention again, Parrot uses sudo so if they can capture your sudo, yep the whole system is fucked. I don’t know why they package the binary like that. I fixed permission to 700 and moved the binary to `/usr/share/` instead of `/usr/bin/` so it is no longer being executed by any users. The same stories go to other packages that use on target’s machine only.



There is other thead on this topic: "ParrotOS hardening" https://community.parrotsec.org/t/parro ... g/11649/15
which reference to some options, let me post them here briefly:

* We can have security-misc 30 package from Whonix pre-installe
- https://github.com/Whonix/security-misc/
- https://www.whonix.org/wiki/Security-mi ... g_Features

* Last but not least i recommend the pre-installation maybe of LKRG(Linux Runtime Kernel Guard)
- https://www.openwall.com/lkrg/
- https://www.whonix.org/wiki/Linux_Kerne ... Guard_LKRG
- Looks neat, but the project is run by one man, who has a fulltime job. I’m not saying his project is bad, moreover I had some similar ideas with Protecred Features he was talking about (old users remember my posts) https://www.youtube.com/watch?v=tOiPM692DOM

* CIS Benchmarks - Securing Debian Linux - This document provides prescriptive guidance for establishing a secure configuration posture for Debian Linux 9 systems running on x86 and x64 platforms.
- https://www.cisecurity.org/benchmark/debian_linux/
- https://nvd.nist.gov/ncp/checklist/887

* Securing Debian Manual 3.19, 2017
- https://www.debian.org/doc/manuals/secu ... ex.en.html

***
This short document was put together with the vision of sharing the perspective of some other developers in discussing elements of system security integrity, as you cannot be everywhere while working hard on all other areas of your development activities. Let me take this opportunity to thank you for your tireless work, with the hope that at least some parts of the above text, might be of help to you in your upcoming work
Sun_Smile
 
Posts: 2
Joined: 2021-03-27 12:39

Re: Linux build in security flaws: repost from other forum

Postby Head_on_a_Stick » 2021-03-27 17:29

Sun_Smile wrote:X11 server allows any process captures keyboard events of other processes that leads to keylogging

Debian's default desktop uses Wayland and so does not suffer this vulnerability.

Sun_Smile wrote:The package installer of Debian, `dpkg` (i haven’t tested any other installers so i can’t say) can infect malicious scripts/ binaries as root permission silently.
Here is my walkthrough Infect target with .deb package 1.: https://community.parrotsec.org/t/infec ... kage/18112 In this case, MacOS has a feature that verify packages and warn users about untrusted packages so at least it has “something” and Debian has nothing.

APT conducts full security checks before installing packages from repositories: https://wiki.debian.org/SecureApt

Furthermore all of the packages in Debian's repositories are fully reproducible: https://wiki.debian.org/ReproducibleBuilds

It is true that manually installed .deb packages are not verified but anybody who is foolish enough to do that deserves what they get IMO.

Sun_Smile wrote:This tool allows attackers dump passwords from RAM GitHub - huntergregal/mimipenguin

That tool only works with root privileges... :roll:

Sun_Smile wrote:On Linux, you have unknown interpreters and known interpreter could allow process to create reverse shell and pty shell.
For example expect command https://stackoverflow.com/a/45130404, `tsh shell`, … and you barely know about it or you don’t even know it is in your system.

That command is not included in a Debian system by default so the user would most certainly know it was present because they would have installed it.

Sun_Smile wrote:Let me take this opportunity to thank you for your tireless work

There are no Debian developers here, this is a user forum. Try the mailing lists instead.
Black Lives Matter

Debian buster-backports ISO image: for new hardware support
User avatar
Head_on_a_Stick
 
Posts: 13450
Joined: 2014-06-01 17:46
Location: /dev/chair

Re: Linux build in security flaws: repost from other forum

Postby Bulkley » 2021-03-27 19:27

Head_on_a_Stick wrote:Debian's default desktop uses Wayland . . .


Really? I know Gnome needs Wayland but default? Whenever I've used something with Wayland I ran into trouble. Is it going to be default in Bullseye?
Bulkley
 
Posts: 6102
Joined: 2006-02-11 18:35

Re: Linux build in security flaws: repost from other forum

Postby Head_on_a_Stick » 2021-03-28 07:16

GNOME has used Wayland by default since the buster release: https://www.debian.org/releases/stable/ ... t-on-gnome

Wayland is far more usable than the nay-sayers would have you believe. See also https://drewdevault.com/2019/02/10/Wayl ... unked.html & https://drewdevault.com/2021/02/02/Anti ... eshit.html
Black Lives Matter

Debian buster-backports ISO image: for new hardware support
User avatar
Head_on_a_Stick
 
Posts: 13450
Joined: 2014-06-01 17:46
Location: /dev/chair

Re: Linux build in security flaws: repost from other forum

Postby trinidad » 2021-03-29 18:54

Wayland is far more usable than the nay-sayers would have you believe


Yes indeed +++

Pseudo-geekdom whined endlessly at first about x11 forwarding with ssh under wayland, when all one needed to do was append a few new characters to their ssh commands. It has handcuffed/slowed some developers short of resources none more important than XFCE, but the future is irresistible and with KDE ever closer wayland is here to stay because they are not short on developers or resources. It's just better, coded cleaner, aimed at better newer hardware, and more secure anyway. Why wouldn't users want that?

TC
You can't believe your eyes if your imagination is out of focus.
trinidad
 
Posts: 167
Joined: 2016-08-04 14:58

Re: Linux build in security flaws: repost from other forum

Postby LE_746F6D617A7A69 » 2021-04-01 20:39

Sun_Smile wrote:X11 server allows any process captures keyboard events of other processes that leads to keylogging

This is a CVE-1999-0526, reported over 20 year ago. Today, It's impossible to break into X11 in this way, unless some really stupid admin will enable anonymous connections from anywhere, without using secure tunnelling - not much different from posting Your root password on a forum.
Bill Gates: "(...) In my case, I went to the garbage cans at the Computer Science Center and I fished out listings of their operating system."
The_full_story and Nothing_have_changed
LE_746F6D617A7A69
 
Posts: 470
Joined: 2020-05-03 14:16


Return to Debian Development

Who is online

Users browsing this forum: No registered users and 9 guests

fashionable