Anton Chuvakin <[EMAIL PROTECTED]> writes: > Hello Chris and all, > > Thanks for the message. > >>What won't work in this situation is attackers that have the md5sums >>or signatures for various binaries on the machine that you are >>intending to replace. > Hmm, that was the point of my question, to some extent. How would an > attacker (possesing the md5sums for valid packages and md5sumes for hacked > packages) go about updating the rpm database to pass the ? Are there any > tools (in rootkits or elsewhere) to accomplish it?
Ok. Lets take a step back in explanation. I used md5sums of the binaries to mean the actual md5(filename) => stuff and not the md5sum entry in the /usr/lib/rpm database. The installed version of the package has checksums/permissions for every file in the package. You can rebuild a package with the same name and just upgrade over an old one and pass the rpm -V test. The GPG check comes here: % rpm --checksig wireless-tools-21-1.src.rpm wireless-tools-21-1.src.rpm: md5 gpg OK Only when you have the uninstalled rpm does checksig do anything for you. It's designed to be able to trust that where you get a package from is made by the person that says they made it. Now, lets say your distro comes with you socks5-1.0r11-3.i386.rpm installed. Now lets say you create a package named socks5-1.0r11-4.i386.rpm. when you do rpm -Uvh socks5-1.0r11-4.i386.rpm, you will uninstall the old one and install the new one. You could also name it the same thing as previously and install it, I'm just using this upgrade path as an example The md5sums of files to an external entity will be different ( assuming the code is different,etc ). However, these different md5sums will be installled in the new rpm database and rpm -V socks5 will work will return with no visible errors. Now say an attacker does md5sum(file) instead of looking at the rpm database. They will notice things have changed. The easiest way to update it is to have custom rpms and let rpm do the dirty work for you. There are tools that can work on the database and there are rpmperl bindings that can also help manipulate. -- Chris Green <[EMAIL PROTECTED]> Laugh and the world laughs with you, snore and you sleep alone.
