Virtual Newsletter about Software Freedom December 13, 2024 PSA: APT methods can lead to reverse shells ------------------------------------------- APT methods, the code that allows internet connections. The problem is, there is little documentation. It's very hard to make an APT method, because the protocol is confusing. I was playing around with APT methods, but I noticed something. When I connect through, for example, 'apt-transport-tor', how does it work? That, I can't figure out. I checked Debian, but there is no executables??? Instead, I went to some old docs from 2016 about creating an APT method for S3. One of them talked about APT methods. The part which was debugging APT methods such as HTTP caught my eye. So, I decided to do a test. I created a method called 'duck' on my APT. Next, I added a script to the method (https://mrchicken.nexussfan.cz/cdn/rce_apt.sh). Once that was done, I modified one of my APT sources to use the `duck' protocol. Finally, I ran `sudo apt update`. Everything worked, I could even install packages. I was able to capture the request logs, and that the process gets to WRITE unsandboxed to `/tmp`??? That doesn't seem right. Well, I guess it isn't that big of an issue. It's probably running on the under-privileged "_apt" user, and anyone can write to /tmp as well. If that's true, then how does it access `/var/cache/apt/archives` (where the packages are stored before being installed)? I'm checking, and that directory is owned by `root:root`, `-rw-r--r--`. There must be some special file helper, because there's no way that Debian developers didn't care to sandbox it. Wait a minute, didn't I put the `whoami` and `id` information in the protocol script? ``` nexussfan@debian:~$ cat /tmp/whoami root nexussfan@debian:~$ cat /tmp/id uid=0(root) gid=0(root) groups=0(root) ``` Have a very merry (and hopefully secure!) APT Christmas. - NexusSfan --- Find all logs at --- --- Copyright (c) 2024 NexusSfan Except where otherwise noted, this work is licensed under the Creative Commons Attribution-NoDerivatives 4.0 International License A copy of the license is included at https://creativecommons.org/licenses/by-nd/4.0 ---