The results of an experiment on seizing control of packages in the AUR (Arch User Repository) repository, used for distribution by third-party developers of their packages without inclusion in the main repositories of the Arch Linux distribution, have been published. The researchers prepared a script that checks the expiration of domain registrations appearing in the PKGBUILD and SRCINFO files. When running this script, 14 expired domains were identified, used in 20 packages for downloading files.
Simply registering a domain is not enough to spoof a package, since the downloaded content is checked against the checksum already loaded into the AUR. However, it turns out that maintainers of about 35% of the packages in the AUR use the "SKIP" parameter in the PKGBUILD file to skip checksum verification (for example, specify sha256sums=('SKIP')). Of the 20 packets with expired domains, the SKIP parameter was used in 4.
To demonstrate the possibility of carrying out an attack, the researchers bought the domain of one of the packages that does not check checksums and placed an archive with the code and a modified installation script on it. Instead of the actual content, a warning message about the execution of third-party code was added to the script. An attempt to install the package led to the downloading of substituted files and, since the checksum was not checked, to the successful installation and launch of the code added by the experimenters.
Packages whose domains with code were expired:
- firefox-vacuum
- gvim-checkpath
- wine-pixi2
- xcursor-theme-wii
- lightzone-free
- scalafmt-native
- coolq-pro-bin
- gmedit-bin
- mesen-s-bin
- polly-b-gone
- erwiz
- all
- kygekteampmmp4
- servicewall-git
- amuletml-bin
- etherdump
- nap-bin
- iscfpc
- iscfpc-aarch64
- iscfpcx
Source: opennet.ru