Full Disclosure mailing list archives

Previous By Date Next
Previous By Thread Next

Strange gpg key shadowing

From: Georgi Guninski <guninski () guninski com>
Date: Thu, 14 Jun 2012 12:18:26 +0300
While wasting my time with apt-key noticed strange behaviour with
colliding subkeys.

Out of paranoia ubuntu disallows importing certain trusted keyids.
This is trivial to circumvent by making a collision with subkey.

Attached is a key with subkey keyid colliding with 
Ubuntu Archive Master Signing Key <ftpmaster () ubuntu com>.

By emulating apt-key netupdate, noticed that the order of the keyrings
is important. If the master keyring is first, the colliding key with
correct signature fails validation (probably because the other key is used).
If the colliding keyring is first, everything is ok (modulo reporting wrong
signer).

Probably this may lead to gpg abuse.

colliding first:

$gpg --ignore-time-conflict --no-options --no-default-keyring --secret-keyring /etc/apt/secring.gpg --keyring /tmp/sec1 
--keyring /usr/share/keyrings/ubuntu-master-keyring.gpg  --check-sigs
/tmp/sec1
---------
pub   1024R/76A4410F 2012-06-13
uid                  fuck31 (f) <f@f>
sig!3        76A4410F 2012-06-13  fuck31 (f) <f@f>
sig!         3F272F5B 2012-06-13  fuck31 (f) <f@f>
sig!         3F272F5B 2012-06-13  fuck31 (f) <f@f>
sub   1024R/2376C859 2012-06-13
sig!         76A4410F 2012-06-13  fuck31 (f) <f@f>
sub   2180R/3F272F5B 2012-06-13
sig!         76A4410F 2012-06-13  fuck31 (f) <f@f>

/usr/share/keyrings/ubuntu-master-keyring.gpg
---------------------------------------------
pub   4096R/3F272F5B 2007-11-09
uid                  Ubuntu Archive Master Signing Key <ftpmaster () ubuntu com>
sig!3        3F272F5B 2007-11-09  fuck31 (f) <f@f> #wrong

1 signature not checked due to a missing key


master first:

$gpg --ignore-time-conflict --no-options --no-default-keyring --secret-keyring /etc/apt/secring.gpg --keyring 
/usr/share/keyrings/ubuntu-master-keyring.gpg  --keyring /tmp/sec1  --check-sigs
/usr/share/keyrings/ubuntu-master-keyring.gpg
---------------------------------------------
pub   4096R/3F272F5B 2007-11-09
uid                  Ubuntu Archive Master Signing Key <ftpmaster () ubuntu com>
sig!3        3F272F5B 2007-11-09  Ubuntu Archive Master Signing Key <ftpmaster () ubuntu com>

/tmp/sec1
---------
pub   1024R/76A4410F 2012-06-13
uid                  fuck31 (f) <f@f>
sig!3        76A4410F 2012-06-13  [User ID not found]
sig-         3F272F5B 2012-06-13  Ubuntu Archive Master Signing Key <ftpmaster () ubuntu com> # wrong, signer is a 
subkey of f@f
sig-         3F272F5B 2012-06-13  Ubuntu Archive Master Signing Key <ftpmaster () ubuntu com> # wrong, signer is a 
subkey of f@f.
sub   1024R/2376C859 2012-06-13
sig!         76A4410F 2012-06-13  [User ID not found]
sub   2180R/3F272F5B 2012-06-13
sig!         76A4410F 2012-06-13  [User ID not found]

2 bad signatures
1 signature not checked due to a missing key

Attachment: sec1
Description: 

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Previous By Date Next
Previous By Thread Next

Current thread: