Plugin to check MD5 sum on certain files

Dan Stromberg strombrg at dcs.nac.uci.edu
Mon Nov 8 20:53:14 CET 2004


On Sat, 2004-11-06 at 05:03, Andreas Ericsson wrote:

> > 
> > I believe this would be difficult - generating a trojaned ls with the
> > same md5 sum.  md5 is designed to distribute small bits of a file, from
> > all over within that file, across different parts of the digest.
> > 
> 
> You're attacking the wrong end of the problem. If someone can trojan 
> some of your binaries, they can trojan ALL your binaries (assuming 
> you're not a complete idiot who have given write permissions away on 
> some of your $PATH directories to non-root users).

Trojaning binaries in a read-only, NFS mounted volume is possible, but
difficult.

Alternatively, or additionally, you can NFS mount the filesystem you
intend to check and run a trusted md5 and sha-1 generator on a trusted
system.

> A trojaned md5sum program would not report the proper md5sum, but rather 
> some hardcoded value which the attacker retrieves from the 'real' ls and 
> compiles in to the new md5sum program. If you can't trust one root-owned 
> mode 755 binary, you can't trust any other either. It's as simple as that.

Clearly.

> > It's not like you can just assume a one to one mapping, or tack some
> > crud on the end.
> 
> I know perfectly well how md5 hashing works. I also know that what 
> you're trying to implement is utterly useless unless you run everything 
> off some non-writable media. It just won't work. Worse, it will create a 
> false sense of security, so a possible attacker can hang on to your 
> system for a much longer period once properly compromized.

So why are we ruling out nonwritable media?  :)  Granted, that's
fakeable too, but like I said above, it's hard.  And we already had
nonwritable media in the discussion anyway, so there's no point in
arbitrarily ruling it out for one purpose and not another.

Please don't spin the "false sense of security" yarn again.  That's so
overused.  Better to light a candle in the darkness, than to complain
that it isn't a floodlight and do nothing.  An effort doesn't have to be
100% effective to be valuable.

-- 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
URL: <https://www.monitoring-lists.org/archive/users/attachments/20041108/cd60c153/attachment.sig>


More information about the Users mailing list