[Bug 1150737] Re: live-build causes installation old /sbin/initctl and start-stop-daemon to be installed in Cloud Images

Tue Jul 21 20:17:58 UTC 2015

** Description changed:

- I've encountered at least five different Amazon AMIs which all fail
- debsums right out of the box.  The offending binaries are upstart:
- /sbin/initctl and dpkg: /sbin/start-stop-daemon. Both are handy
- locations to drop a rootkit. Most prominently, the banner-choice for the
- GUI AWS console wizard in us-east-1 is ami-3fec7956, which seems to be
- created by Canonical (ami-3fec7956 099720109477/ubuntu/images/ebs
- /ubuntu-precise-12.04-amd64-server-20130124).
+ [ SRU Info ]
+ See bug #1363519
+ 
+ [ Original Report ]
+ I've encountered at least five different Amazon AMIs which all fail debsums right out of the box.  The offending binaries are upstart: /sbin/initctl and dpkg: /sbin/start-stop-daemon. Both are handy locations to drop a rootkit. Most prominently, the banner-choice for the GUI AWS console wizard in us-east-1 is ami-3fec7956, which seems to be created by Canonical (ami-3fec7956 099720109477/ubuntu/images/ebs/ubuntu-precise-12.04-amd64-server-20130124).

  us-east-1: ami-3fec7956, ami-de0d9eb7
  us-west-1: ami-b81230fd
  us-west-2: ami-da1810ae
  ap-northeast-1: ami-77cf4976

  I analyzed only initctl, as it was the first to trip my alarms.  In the
  following examples, the left side is the one from the upstart package
  version dpkg claims to have installed, the right is the one actually on
  the system.

  * A side-by-side hex/ascii of the diff : http://pastebin.com/raw.php?i=JGN1rMC5
  * The same, with some color: http://cl.ly/image/2x2l3S1j1f38
  * A side-by-side comparison of objdump --disassemble-all: http://pastebin.com/raw.php?i=5ppcJG2H
  * The same, with some color: http://cl.ly/image/2d0w1I3W083x

  The file size is the same, but clearly it is not the one from the
  package.  objdump interpreted this delta as having a mov instruction,
  then executing a conditional jump.  This "looks" scary, but I'm no
  expert.  This may be only a side-effect of trying to disassemble code.

  This is either malicious, or a totally benign mistake, but in either
  case, Canonical should not be distributing AMIs which cannot pass
  rudimentary integrity checks.

  To reproduce, simply start an AWS instance with one of these AMIs,
  install debsums, and run something like:

  for PKG in `dpkg --get-selections | awk '{print $1}'`; do echo ${PKG}:
  >> failsums; debsums $PKG | grep FAILED >> failsums; done

-- 
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to live-build in Ubuntu.
https://bugs.launchpad.net/bugs/1150737

Title:
  live-build causes installation old /sbin/initctl and start-stop-daemon
  to be installed in Cloud Images

Status in live-build package in Ubuntu:
  Fix Committed
Status in live-build source package in Trusty:
  New
Status in live-build package in Debian:
  Fix Released

Bug description:
  [ SRU Info ]
  See bug #1363519

  [ Original Report ]
  I've encountered at least five different Amazon AMIs which all fail debsums right out of the box.  The offending binaries are upstart: /sbin/initctl and dpkg: /sbin/start-stop-daemon. Both are handy locations to drop a rootkit. Most prominently, the banner-choice for the GUI AWS console wizard in us-east-1 is ami-3fec7956, which seems to be created by Canonical (ami-3fec7956 099720109477/ubuntu/images/ebs/ubuntu-precise-12.04-amd64-server-20130124).

  us-east-1: ami-3fec7956, ami-de0d9eb7
  us-west-1: ami-b81230fd
  us-west-2: ami-da1810ae
  ap-northeast-1: ami-77cf4976

  I analyzed only initctl, as it was the first to trip my alarms.  In
  the following examples, the left side is the one from the upstart
  package version dpkg claims to have installed, the right is the one
  actually on the system.

  * A side-by-side hex/ascii of the diff : http://pastebin.com/raw.php?i=JGN1rMC5
  * The same, with some color: http://cl.ly/image/2x2l3S1j1f38
  * A side-by-side comparison of objdump --disassemble-all: http://pastebin.com/raw.php?i=5ppcJG2H
  * The same, with some color: http://cl.ly/image/2d0w1I3W083x

  The file size is the same, but clearly it is not the one from the
  package.  objdump interpreted this delta as having a mov instruction,
  then executing a conditional jump.  This "looks" scary, but I'm no
  expert.  This may be only a side-effect of trying to disassemble code.

  This is either malicious, or a totally benign mistake, but in either
  case, Canonical should not be distributing AMIs which cannot pass
  rudimentary integrity checks.

  To reproduce, simply start an AWS instance with one of these AMIs,
  install debsums, and run something like:

  for PKG in `dpkg --get-selections | awk '{print $1}'`; do echo ${PKG}:
  >> failsums; debsums $PKG | grep FAILED >> failsums; done

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/live-build/+bug/1150737/+subscriptions