published the results of the control of the control of packages in the AUR repository (Arch User Repository), used for The distribution of their packages without inclusion in the main repositories of the ARCH Linux distribution in the main repositories. Researchers have prepared a script that checks the expiration of the registration of domains that appear in the PKGBULD and SRCINFO files. During the launch of this script, 14 overdue domains used in 20 packages to download files were identified.
simple registration of the domain is not enough to replace the package, since the loaded content is checked by a control amount already loaded in the AUR. Nevertheless, it turned out that the accompanying about 35% of the packages in the AUR is used in the PKGBuild file “SKIP” to skip the control amount (for example, indicate SHA256SUMS = (‘SKIP’)). Of the 20 packages with expired domains, the SKIP parameter was used in 4.
To demonstrate the possibility of an attack, the researchers bought the domain of one of the packages that do not check the control amounts, and placed an archive with the code on it and the changed installation scenario. Instead of the actual contents, the script was added to the warning about the execution of third -party code. The attempt to install the package led to the loading of the substituted files and, since the control amount was not checked, to the successful installation and launch of the code added by experimenters.
packages, domains with the code for which were expired:
- firefox-vacuum
- gvim-checkpath
- wine-pixi2
- xcursor-theme-wii
- Lightzone-Free
- Scalafmt-Native
- Coolq-Pro-Bin
- gmedit-bin
- mesen-s-bin
- polly-b-gone
- Erwiz
- Totd
- kygekteampmmp4
- servicewall-git
- amuletml-bin
- etherdump
- nap-bin
- ISCFPC
- ISCFPC-AARCH64
- ISCFPCX