Slashdot Mirror

← Back to Stories (view on slashdot.org)

GNU Savannah Site Compromised

Posted by CmdrTaco on from the it's-gnu/secure dept.

Trailrunner7 writes "A site belonging to the Savannah GNU free software archive was attacked recently, leading to a compromise of encrypted passwords and enabling the attackers to access restricted project material. The compromise was the result of a SQL injection attack against the savannah.gnu.org site within the last couple of days and the site is still offline now. A notice on the site says that the group has finished the process of restoring all of the data from a clean backup and bringing up access to some resources, but is still in the middle of adjusting its security settings."

10 of 99 comments (clear)

  1. Encrypted passwords? by gcnaddict · · Score: 3, Insightful

    They didn't hash the passwords with something decent like SHA2? Really?

    I mean if they encrypted them weakly or used SHA1 or MD5, that's about as bad as going plaintext. I'd expect far better from them.

    --
    Viable Slashdot alternatives: https://pipedot.org/ and http://soylentnews.org/
    1. Re:Encrypted passwords? by recoiledsnake · · Score: 4, Insightful

      Add to that that gcc is hosted. Compromise gcc's source and you get access to everything you ever want. Obligatory Ken Thompson compiler trojan article link http://cm.bell-labs.com/who/ken/trust.html#fig6

      The actual bug I planted in the compiler would match code in the UNIX "login" command. The replacement code would miscompile the login command so that it would accept either the intended encrypted password or a particular known password. Thus if this code were installed in binary and the binary were used to compile the login command, I could log into that system as any user.

      Such blatant code would not go undetected for long. Even the most casual perusal of the source of the C compiler would raise suspicions.

      FIGURE 7

      The final step is represented in Figure 7. This simply adds a second Trojan horse to the one that already exists. The second pattern is aimed at the C compiler. The replacement code is a Stage I self-reproducing program that inserts both Trojan horses into the compiler. This requires a learning phase as in the Stage II example. First we compile the modified source with the normal C compiler to produce a bugged binary. We install this binary as the official C. We can now remove the bugs from the source of the compiler and the new binary will reinsert the bugs whenever it is compiled. Of course, the login command will remain bugged with no trace in source anywhere.
      Moral

      The moral is obvious. You can't trust code that you did not totally create yourself. (Especially code from companies that employ people like me.) No amount of source-level verification or scrutiny will protect you from using untrusted code. In demonstrating the possibility of this kind of attack, I picked on the C compiler. I could have picked on any program-handling program such as an assembler, a loader, or even hardware microcode. As the level of program gets lower, these bugs will be harder and harder to detect.

      --
      This space for rent.
    2. Re:Encrypted passwords? by gcnaddict · · Score: 3, Insightful

      [ ] Implement crypt-md5 support (like /etc/shadow, strong and LDAP-compatible) hashes, or possibly crypt-sha2

      Holy shit, they're actually seriously considering MD5. This is embarrassing.

      Guys, there's a reason for why I'm saying that MD5 is a Very Bad Idea.

      --
      Viable Slashdot alternatives: https://pipedot.org/ and http://soylentnews.org/
    3. Re:Encrypted passwords? by Tacvek · · Score: 4, Informative

      Add to that that gcc is hosted.

      GCC's code respositories are hosted on gcc.gnu.org, a machine also known as sourceware.org, which is owned and operated by Redhat and provides hosting for basically the entire GNU toolchain (automake, autoconf, binutils, GCC, gdb, glibc, and libstdc++)[1].

      This attack therefore would not be able to modify the GCC sources.

      [1] Notably not present are GNU's bison, libtool, m4 and make.

      --
      Stylish sheet to fix many problems in Slashdot's D3: https://gist.github.com/801524
    4. Re:Encrypted passwords? by Anonymous Coward · · Score: 3, Informative

      Various Unixes, including Linux distributions like RHEL / CentOS include a modern algorithm inspired by PHK that uses the later SHA family algorithms, and has variable rounds.

      But keep in mind that despite all the tutting from know-nothings on Slashdot who react to keywords like 'MD5' even the original DES-based Crypt remains remarkably secure. While a Windows password or MD5 rainbow table is something you can get from any Torrent site, crypt tables still don't exist. While Windows brute forcers can chew through eight alphanumerics while you wait for your pizza to cook, crypt will take weeks.

      Basically, other systems spent the early 21st century catching up to where Unix was in the 1970s.

      And none of this helps you when a user picks something dumb like 'linux' or 'opensesame' as a password.

  2. Obilgatory by hairyfeet · · Score: 4, Funny

    You'd think a site like GNU would have better coders that wouldn't fall for a Bobby Drop Tables gag. I thought the GNU was full of wise old neckbeards?

    --
    ACs don't waste your time replying, your posts are never seen by me.
  3. Re:But Linux is TEH SAFEZORZ! by LWATCDR · · Score: 3, Informative

    It was a GNU project it was running on HURD not Linux.

    Umm.. this wasn't a LINUX issue it was an SQL injection attack on a website. Are just trying to troll or do you really not know the difference?

    --
    See my blog http://ilovecookes.blogspot.com/ for light hearted technical information.
  4. Re:So? by vlm · · Score: 4, Insightful

    "enabling the attackers to access restricted project material."

    So? I though it was all about free & open source. Therefore, what restricted material?

    Personal contact info for copyright assignees beyond the legally required minimum?

    Private GPG keys?

    Just making some good guesses.

    --
    "Science flies us to the moon. Religion flies us into buildings." - Victor Stenger
  5. Re:Sequel by butalearner · · Score: 3, Funny

    a SQL injection

    Well, we know how the author pronounces SQL now; I have always preferred "an SQL injection"---that is, "S.Q.L."

    What, you don't mentally pronounce all acronyms? Well, now, aren't you just a SOB.

  6. Not the first time. by molo · · Score: 5, Interesting

    GNU Savannah was hacked in 2003 also. http://news.cnet.com/2100-7344-5117271.html

    "We expect to take measures in the aftermath of the Savannah incident," said Eben Moglen, general counsel for the Free Software Foundation, which maintains the GNU Project, a source of freely available software for Unix and Linux systems. Among the measures, the project leaders will force developers to digitally sign any code they submit, and they plan to introduce additional features to freely available source-code maintenance systems--the best known being the Concurrent Versions System, or CVS--to check developers' digital signatures before accepting changes.

    "We believe (adding digital signatures) is the single most useful technical change to tighten these systems to assure the integrity of the code they contain," Moglen said.

    Does anyone know if the changes described here came to be? Did they help at all in this attack?

    -molo

    --
    Using your sig line to advertise for friends is lame.