Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Signature verification bypass attack #229

Closed
micahflee opened this issue Mar 13, 2016 · 3 comments
Closed

Signature verification bypass attack #229

micahflee opened this issue Mar 13, 2016 · 3 comments
Labels
Milestone

Comments

@micahflee
Copy link
Owner

Jann Horn reported a clever security issue that lets an attacker bypass PGP signature verification. Because Tor Browser Launcher uses defense in depth, an attacker would need to combine this attack with other attacks before they could succeed in an exploit. Specifically, they would need to be in a position to man-in-the-middle the download and also defeat the HTTPS connection to https://dist.torproject.org/ or one of the mirrors.

The first time you run Tor Browser Launcher, it works like this:

The problem is that gpg --verify can be ambiguous. If $sigfile is tor-browser-linux64-5.5.3_en-US.tar.xz.asc, it can either mean that that's a detached signature and the content is in tor-browser-linux64-5.5.3_en-US.tar.xz, or it can mean that it's the content is included in the same file.

If an attacker can MITM connections to https://dist.torproject.org/ or whatever mirror is set, and their MITM server uses a trusted certificate, then they can replace $sigfile with a single file that contains the valid Tor Browser tarball and signature, and replace $tarball with something malicious but completely unsigned. When Tor Browser Launcher downloads $sigfile and verifies it, the verification will succeed and it will extract $tarball and execute start-tor-browser.desktop, which will let the attack run their arbitrary code as the current user (they could even launch a legit Tor Browser if they want to be stealthy).

The solution is to specify the content as well as the signature file when verifying the signature, e.g.: /usr/bin/gpg --homedir $homedir --verify $sigfile $tarball

@micahflee micahflee added the bug label Mar 13, 2016
@micahflee micahflee added this to the 0.2.4 milestone Mar 13, 2016
@micahflee
Copy link
Owner Author

This issue has been assigned CVE-2016-3180.

@DigitalBrains1
Copy link

When this issue with GnuPG was discovered in November of 2014, Werner Koch fixed it in various ways. At least Debian backported those fixes to their stable release; I assume more distributions did. If torbrowser-launcher would have used --batch on invocation, GnuPG would have failed instead of creating a security issue. In my opinion, the use of gpg here warrants --batch.

Example sessions:

$ gpg --verify test.txt.sig ;echo $?
gpg: assuming signed data in `test.txt'
gpg: Signature made Sun 03 Apr 2016 13:08:38 CEST using RSA key ID DE6CDCA1
gpg: Good signature from "Peter Lebbing <peter@digitalbrains.com>"
0
$ gpg --verify test.txt.sig test.txt ;echo $?
gpg: Signature made Sun 03 Apr 2016 13:08:38 CEST using RSA key ID DE6CDCA1
gpg: Good signature from "Peter Lebbing <peter@digitalbrains.com>"
0
$ gpg --batch --verify test.txt.sig ;echo $?
gpg: no signed data
gpg: can't hash datafile: file open error
2
$ gpg --batch --verify test.txt.sig test.txt ;echo $?
gpg: Signature made Sun 03 Apr 2016 13:08:38 CEST using RSA key ID DE6CDCA1
gpg: Good signature from "Peter Lebbing <peter@digitalbrains.com>"
0

And here with a regular, non-detached signature:

$ gpg --verify test.txt.asc ;echo $?
gpg: Signature made Sun 03 Apr 2016 13:14:50 CEST using RSA key ID DE6CDCA1
gpg: Good signature from "Peter Lebbing <peter@digitalbrains.com>"
gpg: WARNING: not a detached signature; file 'test.txt' was NOT verified!
0
$ gpg --verify test.txt.asc test.txt ;echo $?
gpg: not a detached signature
2
$ gpg --batch --verify test.txt.asc ;echo $?
gpg: Signature made Sun 03 Apr 2016 13:14:50 CEST using RSA key ID DE6CDCA1
gpg: Good signature from "Peter Lebbing <peter@digitalbrains.com>"
gpg: WARNING: not a detached signature; file 'test.txt' was NOT verified!
0

Quite importantly: only the regular case would have failed, alerting the developers that their invocation was wrong. When it is actually given a non-detached signature, it will continue succesfully even in batch mode.

$ gpg --batch --verify test.txt.asc test.txt ;echo $?
gpg: not a detached signature
2

adrelanos pushed a commit to adrelanos/gpg-bash-lib that referenced this issue Apr 5, 2016
intrigeri pushed a commit to intrigeri/torbrowser-launcher that referenced this issue Jun 19, 2017
intrigeri pushed a commit to intrigeri/torbrowser-launcher that referenced this issue Jun 19, 2017
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
Projects
None yet
Development

No branches or pull requests

3 participants