dshaw at jabberwocky.com
Thu Jun 12 01:02:00 CEST 2008
On Wed, Jun 11, 2008 at 04:31:45PM -0400, michael graffam wrote:
> On Wed, Jun 11, 2008 at 3:56 PM, David Shaw <dshaw at jabberwocky.com> wrote:
> > If the attacker had access to your machine to implement the LD_PRELOAD
> > attack, there are literally dozens of ways they can similarly steal
> > whatever data they are trying to steal. Why do a very complex attack
> > involving replacing libraries when they could just replace the GPG
> > binary itself?
> Replacing the GPG bin requires root. An LD_PRELOAD'ed lib doesn't.
Try it. I don't have to replace it for everyone - just you, and if I
can write to your computer, I can make you run any binary I want.
Remember, you own your own shell .rc file.
> Or add a shell script named 'gpg' and put it in your
> > search path ahead of the real gpg?
> Again, root.
> > Or turn on typescript by default.
> Doesn't save GPG passphrases.
Why would I care about getting your passphrase if I can get everything
you typed into the message before it was encrypted?
Still, just for laughs, here's a hack that will save everything typed
on a particular terminal, including passphrases (real error checking
and proper handling of sigchld left up to the reader):
main(int argc,char *argv)
struct termios term;
> > Or load a kernel module that changes the meaning of system calls. Or
> > replace the rng with one that isn't random. Or, or, or.
> Root, root, root.
Do you seriously think that someone who can write to your user-level
account can't get root pretty soon? This can be as complex as reading
bugtraq for a while until a buffer overrun comes along, or as simple
as arranging for "su" to go somewhere else.
> Get it yet? LD_PRELOAD enables attacks against GPG w/o requiring full access
> to the box. The attacker just need access to the user's account.
I do get it. I'm not convinced that you do.
If an attacker has access to the user's account, it's game over. At
that point, it's just a question which particular method the attacker
will choose to completely own you.
More information about the Gnupg-users