Dispelling a Breach Rumor
by GI Jack
I spend the weekend at HushCon, a semi-secret hacker convention.
In casual conversation, someone had brought up that a hacker was spreading a rumor that "Ninja OS is compromised, the sudo command is sending commands back to a command and control server."
I was taken aback. I certainly did not put this in. Sudo in Ninja OS is the exact same binary inherited from upstream Arch Linux, as packaged by them.
But before I started pointing fingers, I needed to verify that Ninja OS was in fact not compromised.
The first thing I did was query the DB of the chroot I use for Ninja OS for the version of sudo:
$ sudo pacman -r ${path-to-chroot} -Q sudo sudo 1.8.19.p2-1Next, we get a hash sum and stat for the sudo command as shipped:
$ stat /path/to/sudo File: /path/to/sudo Size: 130360 Blocks: 272 IO Block: 4096 regular file Device: 2bh/43d Inode: 52987767 Links: 1 Access: (4755/-rwsr-xr-x) Uid: ( 0/ root) Gid: ( 0/ root) Access: 2017-01-25 20:46:15.000000000 -0500 Modify: 2017-01-18 08:28:10.000000000 -0500 Change: 2017-01-25 20:46:16.118594165 -0500 $ sha256sum /path/to/sudo fb555b41a2e0b4bc7506ae384dd1a829ecde71c0766068c9103ae77f65139e75 sudoNow, let's track down the exact version. We can use the Arch Linux archive: wiki.archlinux.org/index.php/Arch_Linux_Archive
Sure enough, we can find sudo here: archive.archlinux.org/packages/s/sudo/sudo-1.8.19.p2-1-x86_64.pkg.tar.xz
and the signature file: archive.archlinux.org/packages/s/sudo/sudo-1.8.19.p2-1-x86_64.pkg.tar.xz.sig
Let's check the signature of the package:
$ gpg --verify sudo-1.8.19.p2-1-x86_64.pkg.tar.xz.sig sudo-1.8.19.p2-1-x86_64.pkg.tar.xz gpg: Signature made Wed 18 Jan 2017 08:30:46 AM EST gpg: using RSA key 86CFFCA918CF3AF47147588051E8B148A9999C34 gpg: Good signature from "Evangelos Foutras <evangelos@foutrelis.com>" [unknown] gpg: aka "Evangelos Foutras <foutrelis@gmail.com>" [unknown] gpg: aka "Evangelos Foutras <foutrelis@archlinux.org>" [unknown]We can now extract the sudo binary and recheck that it matches the one shipped in the Ninja OS:
$ stat /path/to/ninjaos/sudo File: /path/to/ninjaos/sudo Size: 130360 Blocks: 272 IO Block: 4096 regular file Device: 2bh/43d Inode: 57683128 Links: 1 Access: (4755/-rwsr-xr-x) Uid: ( 1000/ jack) Gid: ( 1000/ jack) Access: 2017-06-05 10:20:47.712477000 -0400 Modify: 2017-01-18 08:28:10.000000000 -0500 Change: 2017-06-05 10:20:47.715810751 -0400 Birth: - $ sha256sum /path/to/ninjaos/sudo fb555b41a2e0b4bc7506ae384dd1a829ecde71c0766068c9103ae77f65139e75 sudoYou can reverify this experiment by checking /usr/bin/sudo from Ninja OS against the upstream version as described.
This is mathematical proof that the version of sudo in Ninja OS matches the upstream version from Arch.
I hope the rumor of its breach can be quelled.