due to stupidity forgot the attachment, here it is. On Thu, Sep 22, 2011 at 12:07:08PM +0300, Georgi Guninski wrote: > owning ubuntu apt-key net-update (maybe apt-get update related) > > in ubuntu 10.04 in /usr/bin/apt-key in > add_keys_with_verify_against_master_keyring() > > if $GPG_CMD --keyring $ADD_KEYRING --list-sigs --with-colons $add_key | grep > ^sig | cut -d: -f5 | grep -q $master_key; then > $GPG_CMD --quiet --batch --keyring $ADD_KEYRING --export > $add_key | $GPG --import > ADDED=1 > > > to my knowledge --list-sigs doesn't do crypto verification, just looks for > well formedness. > > it is trivial to generate a gpg key with key ID == $master_key: > set gpg version to 3, set the lowest 64 bits of the RSA $n$ to the key ID, > generate random high bits until one can trial factor $n$ (numerology is on > your side), this is it. > > to reproduce: > attached is ubuntu-archive-keyring.gpg. > put it on http://A/ubuntu-archive-keyring.gpg > make a copy of apt-key and set: > ARCHIVE_KEYRING_URI=http://A/ubuntu-archive-keyring.gpg > ^ this emulates MITM. > do |./apt-key-new net-update| and check for new keys with |apt-key list| > > this might or might not be related with |apt-get update|. > > 10x. > > -- > joro > > _______________________________________________ > Full-Disclosure - We believe in it. > Charter: http://lists.grok.org.uk/full-disclosure-charter.html > Hosted and sponsored by Secunia - http://secunia.com/
Attachment:
ubuntu-archive-keyring.gpg
Description: Binary data
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/