Description: Arbitrary command executing on query of corrupt RPM files
(note: you do not have to install the file to be affected)
Severity: Very Low to Low
(Unless running an lpd with no access restrictions,
in which case, it may allow remote compromize.)
Affects: rpm-4.0.2-7x
probably also earlier 4.0.x rpm packages (*)
Also affects other programs using rpm 4.0.x libraries,
including rpm2html.
(*) 3.0.x is not affected by _this_ fault, but that
does not mean it is not affected by a similar
problem. (Tested against RPM 3.0.3 on SuSE 6.2)
Description:
It is possible to create an RPM (Redhat Package Management) file with
'corrupted' data that will cause arbitrary code to execute when the file
is queried. (eg: an rpm utility is used to gain information about the
contents of the file, such as version, build date etc, when checking the
file for corruptions against the stored MD5 sum, etc. )
Exploiting this bug would require the exploiter to know the location
in memory their shellcode will be stored in the heap, a value that is
sensitive to initial conditions, and also get the rpm to be accessed.
NB: Due to the environment variable LESSOPEN (in RH7.0) calling a
utility that itself calls rpm, viewing an RPM file with less is
also potentially dangerous.
(i.e. 'less file.rpm' will call /usr/bin/lesspipe.sh, which in turn
calls rpm)
Workaround: Don't even query files from untrusted sources.
(less file.rpm will query the file, on default settings!)
Fix: Patch should be avaliable (soon?) from RedHat.
Example of How this could be used in an Exploit to gain user lp:
1) Get an RPM file.
2) Modify its header so it will run your code.
3) Send it the the printer on a RH 7.0 system.
4) Do what you were going to do as user lp.
1) Either make one yourself, or download one of the net.
2) The tricky part. Requires a modifying the header so it is still
valid, but will corrupt the heap in such a way as to cause execution
of your shellcode, which must also be loaded into memory, when the
rpm is queried by the print filter (see 3).
3) The RedHat print system will select the 'RPM to ASCII" print filter
(/usr/lib/rhs/rhs-printfilters/rpm-to-asc.fpi) to print information
about the RPM out. In the process of doing this, it queries the file,
4) Maybe trojan any lp owned files, so when they are run by another user,
it will create a suid shell, owned by them, in a place you can find,
while retaining functionality of the trojaned programs.
-- zen-parse
(Vendors were originally notified of the problem 12th August 2001)
======================================================================
Chapel of Stilled Voices - http://mp3.com/cosv
'gone platinum' - Buy the CDs and support independent mucous.
'big in germany' - Music even.
=======================================================================
--
-------------------------------------------------------------------------
The preceding information is confidential and may not be redistributed
without explicit permission. Legal action may be taken to enforce this.
If this message was posted by zen-parseat_private to a public forum it may
be redistributed as long as these conditions remain attached. If you are
mum or dad, this probably doesn't apply to you.
This archive was generated by hypermail 2b30 : Wed Oct 24 2001 - 09:58:00 PDT