A few words of warning on PPAs (and other cool packages you found on the net)

Posted: September 23, 2011 in Random pontifications
Tags: , , , , , ,

As always there has been debate about the overall security model of Ubuntu, and truthfully, it’s just fine. However, where the problem does come in is where people blindly assume that Ubuntu is beyond reproach in terms of security. That is a disaster waiting to happen.

Risks of installing packages

Normally, when you’re installing from a trusted repository you are trusting the administration of the repository in terms of quality assurance. This makes sense, there are many methods in place for ensuring package continuity. That being said, when downloading packages elsewhere you have to be more careful, when you’re installing that package you are giving it a lot of room to groove so to speak. We will get into that more in a moment, however let us look for a moment at what the average user might do when downloading a package that might not necessarily be trusted. For this example I am using a copy of XPenguins with some slight modifications. So you have your .deb package downloaded, and you want to make sure it’s good to go before you fire up dpkg and install it.


Logically, some user’s might check the file for “viruses” or other malware using a popular Linux solution, ClamAV. As we can see ClamAV with the latest definitions finds nothing wrong with our XPenguins. This is a vote of confidence, let’s take a look at what a few other AV engines think about it, 42 of them to be precise. You can view the Virus Total report here.

So we are fairly confident about this file being safe for consumption at this point. However, we are still a little bit paranoid.


Since we are mildly concerned with the possibility for viable Linux malware and other security issues we have our UFW configuration set to be a little more paranoid than most users. We are blocking all outbound ports except those we KNOW we need.

At this point we are fairly confident to install XPenguins and have cute little Linux mascots killing themselves all over our desktop.

Installing the package

so we install our package using a typically accepted method for installing .deb packages.

sudo dpkg -i xpenguins_2.6-4_i386.deb

…And we have penguins doing all sorts of cool stuff all over our desktop…

Wait…what happened?

So we just installed our package, and we have the software we want, but let’s take a closer look at what just happened.

An explanation of how this happened and how to prevent it.

So we’ve gathered that somehow we obtained a remote shell when this machine installed our package. But how? Quite simply we created a malicious executable and repackaged the file, this executable could have been anything, in this case it was meterpreter, however there is absolutely no reason it could not have been some new “Linux malware” that supposedly doesn’t exist.

How did it have root privilages?

Quite simple, the repackaged executable contained a post install script that executed our malicious executable, since dpkg was run with sudo to install the application it had root privilages. Allowing us to do all the above, including adding a user to the administrative group (sudoers), installing SSH, and updating the firewall rules to allow incoming SSH traffic. Granted in a “real world” example an attacker might opt for something more discreet, like netcat. However I used SSH to emphasize that the “attacker” could do whatever it was they wanted, uploading netcat and creating a persistant listener would have been only a matter of creating a shell script and an upstart job.

Why didn’t Anti Virus Detect it?

Simply because it was packaged, additionally an executable that creates a reverse connection is not inherantly malicious. Plus, the fact it was packaged as a .deb obfuscated it’s intentions from typical heuristics based analysis. The MD5 sum obviously wasn’t flagged as malicious as we’d just created the file.

Why did UFW not stop it?

The listener was bound to port 80. It’s a safe assumption that most users with internet connectivity will use port 80, thus that it will be allowed. UFW even with restrictive rules did nothing here.

How can we prevent this if it is undetectable?

Well the good part is it’s not undetectable, it just will go beyond detection by most “normal” users. If we extract the contents of the .deb using dpkg -x. We will see exactly where our malicious executable is /usr/bin/xpenguin_ownage. If we run THIS file through AV it will detect it as meterpreter immediately.

What about Apparmor?

Yes, you could in theory create an apparmor profile for dpkg, although I would think it would be very difficult due to the amount of things dpkg needs to access in order to successfuly install software.


Just a little food for thought next time the “how safe are PPAs” debate comes up. Anyone can put whatever they want in a PPA, just remember that. Also if you want the totally awesome application xpenguins it is available in a non malicious version from the repos using :

sudo apt-get install xpenguins

If you would like to analyze the xpenguins package I created for this it is available for download here (it is back doored, you have been warned)

Have a great weekend everyone!

  1. […] pretty much game over. If you really think Anti-Virus is going to help you here I suggest you check this article out. In that article, we showed it’s possible to gain a root shell on Ubuntu Linux without […]

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s