2013-03-06 23:50:39 |
Kevin Blackham |
bug |
|
|
added bug |
2013-03-07 04:13:50 |
Kevin Blackham |
bug |
|
|
added subscriber Ante Karamatić |
2013-03-07 04:59:19 |
Kevin Blackham |
bug |
|
|
added subscriber Ben Howard |
2013-03-07 05:32:18 |
Ben Howard |
ubuntu: assignee |
|
Ben Howard (utlemming) |
|
2013-03-07 05:32:19 |
Ben Howard |
ubuntu: importance |
Undecided |
Medium |
|
2013-03-07 05:35:09 |
Ben Howard |
summary |
Amazon AMIs fail debsums out of the box |
live-build causes installation old /sbin/initctl and start-stop-daemon to be installed |
|
2013-03-07 05:35:33 |
Ben Howard |
summary |
live-build causes installation old /sbin/initctl and start-stop-daemon to be installed |
live-build causes installation old /sbin/initctl and start-stop-daemon to be installed in Cloud Images |
|
2013-03-07 05:35:48 |
Ben Howard |
information type |
Private Security |
Public |
|
2013-03-07 05:37:00 |
Launchpad Janitor |
ubuntu: status |
New |
Confirmed |
|
2013-03-07 05:37:43 |
Ante Karamatić |
affects |
ubuntu |
live-build (Ubuntu) |
|
2013-03-07 22:34:48 |
Ben Howard |
live-build (Ubuntu): status |
Confirmed |
Fix Committed |
|
2013-03-07 22:58:40 |
Ben Howard |
bug watch added |
|
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=702537 |
|
2013-03-07 22:58:40 |
Ben Howard |
bug task added |
|
live-build (Debian) |
|
2013-03-08 14:19:29 |
David Medberry |
bug |
|
|
added subscriber David Medberry |
2013-03-12 06:46:51 |
Bug Watch Updater |
live-build (Debian): status |
Unknown |
Fix Committed |
|
2013-04-03 19:10:52 |
Bug Watch Updater |
live-build (Debian): status |
Fix Committed |
Fix Released |
|
2013-11-21 02:54:39 |
Timothy R. Chavez |
bug |
|
|
added subscriber Timothy R. Chavez |
2015-07-21 20:02:31 |
Adam Conrad |
nominated for series |
|
Ubuntu Trusty |
|
2015-07-21 20:02:31 |
Adam Conrad |
bug task added |
|
live-build (Ubuntu Trusty) |
|
2015-07-21 20:17:58 |
Adam Conrad |
description |
I've encountered at least five different Amazon AMIs which all fail debsums right out of the box. The offending binaries are upstart: /sbin/initctl and dpkg: /sbin/start-stop-daemon. Both are handy locations to drop a rootkit. Most prominently, the banner-choice for the GUI AWS console wizard in us-east-1 is ami-3fec7956, which seems to be created by Canonical (ami-3fec7956 099720109477/ubuntu/images/ebs/ubuntu-precise-12.04-amd64-server-20130124).
us-east-1: ami-3fec7956, ami-de0d9eb7
us-west-1: ami-b81230fd
us-west-2: ami-da1810ae
ap-northeast-1: ami-77cf4976
I analyzed only initctl, as it was the first to trip my alarms. In the following examples, the left side is the one from the upstart package version dpkg claims to have installed, the right is the one actually on the system.
* A side-by-side hex/ascii of the diff : http://pastebin.com/raw.php?i=JGN1rMC5
* The same, with some color: http://cl.ly/image/2x2l3S1j1f38
* A side-by-side comparison of objdump --disassemble-all: http://pastebin.com/raw.php?i=5ppcJG2H
* The same, with some color: http://cl.ly/image/2d0w1I3W083x
The file size is the same, but clearly it is not the one from the package. objdump interpreted this delta as having a mov instruction, then executing a conditional jump. This "looks" scary, but I'm no expert. This may be only a side-effect of trying to disassemble code.
This is either malicious, or a totally benign mistake, but in either case, Canonical should not be distributing AMIs which cannot pass rudimentary integrity checks.
To reproduce, simply start an AWS instance with one of these AMIs, install debsums, and run something like:
for PKG in `dpkg --get-selections | awk '{print $1}'`; do echo ${PKG}: >> failsums; debsums $PKG | grep FAILED >> failsums; done |
[ SRU Info ]
See bug #1363519
[ Original Report ]
I've encountered at least five different Amazon AMIs which all fail debsums right out of the box. The offending binaries are upstart: /sbin/initctl and dpkg: /sbin/start-stop-daemon. Both are handy locations to drop a rootkit. Most prominently, the banner-choice for the GUI AWS console wizard in us-east-1 is ami-3fec7956, which seems to be created by Canonical (ami-3fec7956 099720109477/ubuntu/images/ebs/ubuntu-precise-12.04-amd64-server-20130124).
us-east-1: ami-3fec7956, ami-de0d9eb7
us-west-1: ami-b81230fd
us-west-2: ami-da1810ae
ap-northeast-1: ami-77cf4976
I analyzed only initctl, as it was the first to trip my alarms. In the following examples, the left side is the one from the upstart package version dpkg claims to have installed, the right is the one actually on the system.
* A side-by-side hex/ascii of the diff : http://pastebin.com/raw.php?i=JGN1rMC5
* The same, with some color: http://cl.ly/image/2x2l3S1j1f38
* A side-by-side comparison of objdump --disassemble-all: http://pastebin.com/raw.php?i=5ppcJG2H
* The same, with some color: http://cl.ly/image/2d0w1I3W083x
The file size is the same, but clearly it is not the one from the package. objdump interpreted this delta as having a mov instruction, then executing a conditional jump. This "looks" scary, but I'm no expert. This may be only a side-effect of trying to disassemble code.
This is either malicious, or a totally benign mistake, but in either case, Canonical should not be distributing AMIs which cannot pass rudimentary integrity checks.
To reproduce, simply start an AWS instance with one of these AMIs, install debsums, and run something like:
for PKG in `dpkg --get-selections | awk '{print $1}'`; do echo ${PKG}: >> failsums; debsums $PKG | grep FAILED >> failsums; done |
|
2015-07-21 20:43:32 |
Launchpad Janitor |
live-build (Ubuntu): status |
Fix Committed |
Fix Released |
|
2015-07-21 20:49:30 |
Brian Murray |
live-build (Ubuntu Trusty): status |
New |
Fix Committed |
|
2015-07-21 20:49:32 |
Brian Murray |
bug |
|
|
added subscriber Ubuntu Stable Release Updates Team |
2015-07-21 20:49:34 |
Brian Murray |
bug |
|
|
added subscriber SRU Verification |
2015-07-21 20:49:39 |
Brian Murray |
tags |
|
verification-needed |
|
2015-07-21 22:38:55 |
Adam Conrad |
nominated for series |
|
Ubuntu Vivid |
|
2015-07-21 22:38:55 |
Adam Conrad |
bug task added |
|
live-build (Ubuntu Vivid) |
|
2015-07-21 22:39:09 |
Adam Conrad |
live-build (Ubuntu Trusty): assignee |
|
Adam Conrad (adconrad) |
|
2015-07-21 22:39:10 |
Adam Conrad |
live-build (Ubuntu Vivid): assignee |
|
Adam Conrad (adconrad) |
|
2015-07-21 22:57:06 |
Brian Murray |
live-build (Ubuntu Vivid): status |
New |
Fix Committed |
|
2015-07-23 01:08:57 |
Adam Conrad |
tags |
verification-needed |
verification-done |
|
2015-07-28 17:04:15 |
Launchpad Janitor |
live-build (Ubuntu Trusty): status |
Fix Committed |
Fix Released |
|
2015-07-28 17:04:24 |
Adam Conrad |
removed subscriber Ubuntu Stable Release Updates Team |
|
|
|
2015-07-28 20:54:59 |
Launchpad Janitor |
live-build (Ubuntu Vivid): status |
Fix Committed |
Fix Released |
|