Open kapistka opened 5 months ago
@kapistka It's not really a big problem. If the attacker has the ability to prepare his own image, he can easily bypass these checks. I've done some simple tests and I'm ready to give a couple of examples:
?
", "*
" symbols. So you can use rm -rf /v*r/l*b/a*t/lists/*
instead rm -rf /var/lib/apt/lists/*
construction.What about malicious files detected by VirusTotal? All files that VirusTotal recognised as malicious are open source tools. In order for an executable file not to be detected by VT, it is enough to change only a byte. This in turn changes the hash and the malware is not recognised. An attacker can use a custom build of these tools.
You can change creation date via manifest.json
@r0binak Thanks for the reply)
We need to come up with bypass =)