package: debian-installer
severity: important
tags: security

there is now an option in the expert mode of the debian-installer that
allows the user to install their system without a root account
(replacing it with sudo priviledges for the default user). this exposes
a loophole that enables local attackers to easily obtain root access.

details: 

since there is no root password set up during installation, a local
attacker can simply boot into the root account (without being prompted
for a password) via single user mode ("single" kernel option). then,
he/she can do all kinds of malicious things, but the easiest would be
to simply change the root password...thus owning the machine.  and
since the user never logs in with the root password him/herself,
he/she would never realize that an attacker had gotten in (unless
he/she diligently reviews logs). [1] discusses the details of the
method for password recovery, but the same can be used for malicious
purposes, of course.

potential solutions:

1. always create a root password (e.g. set up a random root password,
rather than no password, during the no root debian-installer setup
page).  note that this may currently be done since "su" itself asks for
a password.

2. drop the user to a full login prompt when booting into single user
mode; thus requiring a valid user account and sudo to perform
administrative actions.  note that it may be possible to circumvent
this via the "init" kernel option, for example "init=/bin/bash".

3. disable the no-root setup page in debian-installer.

the third option may be the easiest to implement immediately --
especially since it's an experimental option in the expert mode of
the installer.  the second option is probably the most robust, but
might be easily circumvented, and would require changes in single user
mode such as automatically mounting /home, which may make single user
mode harder to use (one use case for this mode is to recover or
scan /home, and if it's mounted, that's more difficult).

justification for why a fix for this problem is necessary:

there are levels of vulnerability/security.  at the lowest level are
pure software vulnerabilities (such as this issue), which require
absolutely no effort for a local attacker.  however, for a
hardware-assisted exploit, it requires surrepticious entry, more time,
and more preparedness (and it looks suspicious, and can be somewhat
prevented by limiting access to areas via locks, valid users only,
etc). the user can also increase their security by disabling boot from
media in the bios, which would force the attacker to spend more time to
crack open the machine, which is even more suspicious.

at each level, it takes more and more time for the attacker to exploit
the vulnerability, thus increasing the chance of detecting them.  less
than a minute for the software exploit, 10s of minutes for hardware
assisted and longer for resetting the bios.

severity:

note that the severity of this problem is fairly low right now since
no-root is a non-default option in the "expert" installer.  hence, few
debian systems are likely exposed; but regardless, this problem should
be fixed asap. note that no-root has been the default installer
behavior for ubuntu (since at least dapper i think), so it is a much
more severe issue for them. 

[1] http://linuxwave.blogspot.com/2008/09/ubuntu-forgotten-password.html



-- 
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org

Reply via email to