7357034 2001-10-25 02:10 +1300 /94 rader/ zen-parse <zen-parse@gmx.net> Sänt av: joel@lysator.liu.se Importerad: 2001-10-24 19:22 av Brevbäraren Extern mottagare: bugtraq@securityfocus.com Mottagare: Bugtraq (import) <19576> Ärende: Advisory: Corrupt RPM Query Vulnerability ------------------------------------------------------------ From: zen-parse <zen-parse@gmx.net> To: <bugtraq@securityfocus.com> Message-ID: <Pine.LNX.4.33.0110250154240.4179-100000@clarity.local> Description: Arbitrary command executing on query of corrupt RPM files (note: you do not have to install the file to be affected) Severity: Very Low to Low (Unless running an lpd with no access restrictions, in which case, it may allow remote compromize.) Affects: rpm-4.0.2-7x probably also earlier 4.0.x rpm packages (*) Also affects other programs using rpm 4.0.x libraries, including rpm2html. (*) 3.0.x is not affected by _this_ fault, but that does not mean it is not affected by a similar problem. (Tested against RPM 3.0.3 on SuSE 6.2) Description: It is possible to create an RPM (Redhat Package Management) file with 'corrupted' data that will cause arbitrary code to execute when the file is queried. (eg: an rpm utility is used to gain information about the contents of the file, such as version, build date etc, when checking the file for corruptions against the stored MD5 sum, etc. ) Exploiting this bug would require the exploiter to know the location in memory their shellcode will be stored in the heap, a value that is sensitive to initial conditions, and also get the rpm to be accessed. NB: Due to the environment variable LESSOPEN (in RH7.0) calling a utility that itself calls rpm, viewing an RPM file with less is also potentially dangerous. (i.e. 'less file.rpm' will call /usr/bin/lesspipe.sh, which in turn calls rpm) Workaround: Don't even query files from untrusted sources. (less file.rpm will query the file, on default settings!) Fix: Patch should be avaliable (soon?) from RedHat. Example of How this could be used in an Exploit to gain user lp: 1) Get an RPM file. 2) Modify its header so it will run your code. 3) Send it the the printer on a RH 7.0 system. 4) Do what you were going to do as user lp. 1) Either make one yourself, or download one of the net. 2) The tricky part. Requires a modifying the header so it is still valid, but will corrupt the heap in such a way as to cause execution of your shellcode, which must also be loaded into memory, when the rpm is queried by the print filter (see 3). 3) The RedHat print system will select the 'RPM to ASCII" print filter (/usr/lib/rhs/rhs-printfilters/rpm-to-asc.fpi) to print information about the RPM out. In the process of doing this, it queries the file, 4) Maybe trojan any lp owned files, so when they are run by another user, it will create a suid shell, owned by them, in a place you can find, while retaining functionality of the trojaned programs. -- zen-parse (Vendors were originally notified of the problem 12th August 2001) ====================================================================== Chapel of Stilled Voices - http://mp3.com/cosv 'gone platinum' - Buy the CDs and support independent mucous. 'big in germany' - Music even. ======================================================================= -- ------------------------------------------------------------------------- The preceding information is confidential and may not be redistributed without explicit permission. Legal action may be taken to enforce this. If this message was posted by zen-parse@gmx.net to a public forum it may be redistributed as long as these conditions remain attached. If you are mum or dad, this probably doesn't apply to you. (7357034) /zen-parse <zen-parse@gmx.net>/----------- Kommentar i text 7359553 av Roman Drahtmueller <draht@suse.de> 7359553 2001-10-24 20:44 +0200 /58 rader/ Roman Drahtmueller <draht@suse.de> Sänt av: joel@lysator.liu.se Importerad: 2001-10-25 05:10 av Brevbäraren Extern mottagare: bugtraq@securityfocus.com Externa svar till: draht@suse.de Mottagare: Bugtraq (import) <19590> Kommentar till text 7357034 av zen-parse <zen-parse@gmx.net> Ärende: Re: Advisory: Corrupt RPM Query Vulnerability ------------------------------------------------------------ From: Roman Drahtmueller <draht@suse.de> To: <bugtraq@securityfocus.com> Message-ID: <Pine.LNX.4.33.0110242009490.24025-100000@dent.suse.de> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 > > Description: Arbitrary command executing on query of corrupt RPM files > (note: you do not have to install the file to be affected) > > > Severity: Very Low to Low > (Unless running an lpd with no access restrictions, > in which case, it may allow remote compromize.) > > > Affects: rpm-4.0.2-7x > probably also earlier 4.0.x rpm packages (*) > Also affects other programs using rpm 4.0.x libraries, > including rpm2html. > > (*) 3.0.x is not affected by _this_ fault, but that > does not mean it is not affected by a similar > problem. (Tested against RPM 3.0.3 on SuSE 6.2) For verification: SuSE Linux distributions use rpm in versions 3.0.3 (SuSE-6.3), 3.0.4 (SuSE-6.4,7.0) and 3.0.6 (SuSE-7.1+later) and are not vulnerable to this specific problem. Just a guess, without any claims of accuracy: Most Linux distributors use a version of rpm in the 3-series as well. If you are unsure, use the command "rpm -q rpm" to find out. > -- zen-parse > > (Vendors were originally notified of the problem 12th August 2001) Yes. Thank you! Roman. - -- - - | Roman Drahtmüller <draht@suse.de> // "You don't need eyes to see, | SuSE GmbH - Security Phone: // you need vision!" | Nürnberg, Germany +49-911-740530 // Maxi Jazz, Faithless | - - -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.6 (GNU/Linux) Comment: http://www.suse.de/ iEYEARECAAYFAjvXDD4ACgkQnkDjEAAKq6SqOwCgk9D0sppUqB6CQOo0GTPL+OWT GDgAn3Ne/C4gK/VO39P8aR87gJz1CE1l =e9gi -----END PGP SIGNATURE----- (7359553) /Roman Drahtmueller <draht@suse.de>/(Ombruten)