Installing ElectroBSD the hard way ... by exploiting HardenedBSD

According to the HardenedBSD introduction:

HardenedBSD is a security-enhanced fork of FreeBSD. The HardenedBSD Project is implementing many exploit mitigation and security technologies on top of FreeBSD. The project started with Address Space Layout Randomization (ASLR) as an initial focal point and is now implementing further exploit mitigation techniques.

The bad news

Until recently, HardenedBSD's default configuration contained a somewhat serious flaw that could be exploited by a MITM to intercept requests from pkg(7) and let it execute code provided by the attacker with the privileges of the pkg user (usually root).

Obviously ASLR does not protect against this.

Roughly two months after being informed about the issue the problem has been fixed by importing a pkg fix from FreeBSD. Additionally the previously vulnerable /etc/pkg/HardenedBSD.conf was changed to use a signature type that is actually supported by pkg(7).

As far as I know, HardenedBSD users were not explicitly told that their systems may be compromised.

The amusing news

If you still have an vulnerable HardenedBSD copy (henceforth referred to as HardlyHardenedBSD) you can exploit the pkg bootstrapping process and let it install ElectroBSD (or any other operating system including a patched version of HardenedBSD itself) the hard way.

This may not make a lot of sense and you should probably make sure that you are the only MITM around. Hopefully some people find this amusing or get motivated to rage-audit the ElectroBSD code base for similar security flaws.

Demo: Kernel bootstrapping with pkg(7)

Exploiting the bootstrapping process could look like this, although a less prankish attacker probably would prefer to make the attack less obvious:

fk@r500 ~ $ssh hardlyhardenedbsd
Warning: Permanently added '' (ECDSA) to the list of known hosts.
Password for root@HardlyHardenedBSD:
Last login: Wed Aug 26 15:36:09 2015 from
FreeBSD 11.0-CURRENT-HBSD (HARDENEDBSD) #59 f4a03f9(HEAD): Wed Aug  5 22:05:05 EDT 2015

Welcome to FreeBSD!

Release Notes, Errata: https://www.FreeBSD.org/releases/
Security Advisories:   https://www.FreeBSD.org/security/
FreeBSD Handbook:      https://www.FreeBSD.org/handbook/
FreeBSD FAQ:           https://www.FreeBSD.org/faq/
Questions List: https://lists.FreeBSD.org/mailman/listinfo/freebsd-questions/
FreeBSD Forums:        https://forums.FreeBSD.org/

Documents installed with the system are in the /usr/local/share/doc/freebsd/
directory, or can be installed later with:  pkg install en-freebsd-doc
For other languages, replace "en" with a language code like de or fr.

Show the version of FreeBSD installed:  freebsd-version ; uname -a
Please include that output and any error messages when posting questions.
Introduction to manual pages:  man man
FreeBSD directory layout:      man hier

Edit /etc/motd to change this login announcement.
root@HardlyHardenedBSD:~ #  env http_proxy= pkg info
The package management tool is not yet installed on your system.
Do you want to fetch and install it now? [y/N]: y
Bootstrapping pkg from pkg+http://pkgs.hardenedbsd.org/HardenedBSD/pkg/FreeBSD:11:amd64, please wait...
Installing pkg-1.5.6...
Extracting pkg-1.5.6: 100%
Somebody set us up the bomb!
Shutdown NOW!
shutdown: [pid 628]
*** FINAL System shutdown message from root@HardlyHardenedBSD ***            

System going down IMMEDIATELY                                                  

Kernel update complete! Where's your ASLR now?

System shutdown time has arrived
Connection to closed by remote host.
Connection to closed.
fk@r500 ~ $ssh hardlyhardenedbsd
Warning: Permanently added '' (ECDSA) to the list of known hosts.
Password for root@OwnedBSD:
Last login: Wed Aug 26 15:36:43 2015 from
ElectroBSD 11.0-CURRENT (ELECTRO_BLOAT) #0: Mon Aug 17 12:37:38 UTC 2015

Welcome to OwnedBSD!

root@OwnedBSD:~ #

The above starts with a vanilla HardlyHardenedBSD installation that has been modified to allow root logins through ssh. The MITM attack is done with Privoxy which is running on the same system as the ssh client which is forwarding the traffic. The example attack doesn't replace the whole operating system but merely replaces the kernel, the hostname and the message of the day.

A real attacker would have to use DNS poisoning or actually intercept the traffic from the HardlyHardenedBSD system.

Disclosure timeline