Dispelling a Breach Rumor

by GI Jack

I spend the weekend at HushCon, a semi-secret hacker convention.

In casual conversation, someone had brought up that a hacker was spreading a rumor that "Ninja OS is compromised, the sudo command is sending commands back to a command and control server."

I was taken aback.  I certainly did not put this in.  Sudo in Ninja OS is the exact same binary inherited from upstream Arch Linux, as packaged by them.

But before I started pointing fingers, I needed to verify that Ninja OS was in fact not compromised.

The first thing I did was query the DB of the chroot I use for Ninja OS for the version of sudo:

$ sudo pacman -r ${path-to-chroot} -Q sudo
sudo 1.8.19.p2-1

Next, we get a hash sum and stat for the sudo command as shipped:

$ stat /path/to/sudo
 File: /path/to/sudo
  Size: 130360    	Blocks: 272        IO Block: 4096   regular file
Device: 2bh/43d	Inode: 52987767    Links: 1
Access: (4755/-rwsr-xr-x)  Uid: (    0/    root)   Gid: (    0/    root)
Access: 2017-01-25 20:46:15.000000000 -0500
Modify: 2017-01-18 08:28:10.000000000 -0500
Change: 2017-01-25 20:46:16.118594165 -0500

$ sha256sum /path/to/sudo
fb555b41a2e0b4bc7506ae384dd1a829ecde71c0766068c9103ae77f65139e75 sudo

Now, let's track down the exact version.  We can use the Arch Linux archive: wiki.archlinux.org/index.php/Arch_Linux_Archive

Sure enough, we can find sudo here: archive.archlinux.org/packages/s/sudo/sudo-1.8.19.p2-1-x86_64.pkg.tar.xz

and the signature file: archive.archlinux.org/packages/s/sudo/sudo-1.8.19.p2-1-x86_64.pkg.tar.xz.sig

Let's check the signature of the package:

$ gpg --verify sudo-1.8.19.p2-1-x86_64.pkg.tar.xz.sig
sudo-1.8.19.p2-1-x86_64.pkg.tar.xz
gpg: Signature made Wed 18 Jan 2017 08:30:46 AM EST
gpg: using RSA key 86CFFCA918CF3AF47147588051E8B148A9999C34
gpg: Good signature from "Evangelos Foutras <evangelos@foutrelis.com>" [unknown]
gpg: aka "Evangelos Foutras <foutrelis@gmail.com>" [unknown]
gpg: aka "Evangelos Foutras <foutrelis@archlinux.org>" [unknown]

We can now extract the sudo binary and recheck that it matches the one shipped in the Ninja OS:

$ stat /path/to/ninjaos/sudo
  File: /path/to/ninjaos/sudo
  Size: 130360    	Blocks: 272        IO Block: 4096   regular file
Device: 2bh/43d	Inode: 57683128    Links: 1
Access: (4755/-rwsr-xr-x)  Uid: (  1000/    jack)   Gid: ( 1000/    jack)
Access: 2017-06-05 10:20:47.712477000 -0400
Modify: 2017-01-18 08:28:10.000000000 -0500
Change: 2017-06-05 10:20:47.715810751 -0400
 Birth: -

$ sha256sum /path/to/ninjaos/sudo
fb555b41a2e0b4bc7506ae384dd1a829ecde71c0766068c9103ae77f65139e75 sudo

You can reverify this experiment by checking /usr/bin/sudo from Ninja OS against the upstream version as described.

This is mathematical proof that the version of sudo in Ninja OS matches the upstream version from Arch.

I hope the rumor of its breach can be quelled.
Return to $2600 Index