Sign Up for Your FREE Weekly SecurityTracker E-mail Alert Summary
|
|
|
|
|
|
|
Put SecurityTracker Vulnerability Alerts on Your Web Site -- It's Free!
|
|
|
|
Become a Partner and License Our Database or Notification Service
|
|
|
|
|
|
|
|
|
|
|
|
|
Red Hat Package Manager (RPM) Archives May Execute Arbitrary Code With Printer (lp) Privileges When Queried, Allowing a Local User to Gain Elevated Privileges on the Host
|
|
SecurityTracker Alert ID: 1002635 |
|
SecurityTracker URL: http://securitytracker.com/id/1002635
|
|
CVE Reference:
GENERIC-MAP-NOMATCH
(Links to External Site)
|
Date: Oct 24 2001
|
Impact:
Execution of arbitrary code via local system, User access via local system
|
|
Version(s): rpm-4.0.2-7x, probably also earlier 4.0.x rpm packages; also affects programs using rpm libraries
|
Description:
A vulnerability was reported in Red Hat Package Manager (rpm) that allows a user to create a corrupt RPM file that will automatically execute code when another user queries the archive. The code will run with printer (lp) user privileges.
It is reportedly possible for a user to create an RPM (Redhat Package Manager) file with 'corrupted' data that will cause arbitrary code to execute when the rpm file is queried. The code will be executed with 'lp' user privileges. A local user can gain 'lp' privileges.
To exploit this flaw, a user must modifying the header so that it is still valid but will corrupt the heap to cause execution of user-supplied shellcode. The shellcode must be designed to be loaded into memory when the rpm is queried by the print filter. It is reported that the RedHat print system will select the 'RPM to ASCII" print filter (/usr/lib/rhs/rhs-printfilters/rpm-to-asc.fpi) to print (display) information about the rpm.
|
Impact:
A local user can obtain lp user privileges.
|
Solution:
No solution was available at the time of this entry. It is reported that a patch should be available soon.
|
Cause:
Exception handling error
|
Underlying OS:
Linux (Any), UNIX (Any)
|
|
Message History:
This archive entry has one or more follow-up message(s) listed below.
|
Source Message Contents
|
Date: Thu, 25 Oct 2001 02:10:02 +1300 (NZDT)
Subject: Advisory: Corrupt RPM Query Vulnerability
|
Description: Arbitrary command executing on query of corrupt RPM files
(note: you do not have to install the file to be affected)
Severity: Very Low to Low
(Unless running an lpd with no access restrictions,
in which case, it may allow remote compromize.)
Affects: rpm-4.0.2-7x
probably also earlier 4.0.x rpm packages (*)
Also affects other programs using rpm 4.0.x libraries,
including rpm2html.
(*) 3.0.x is not affected by _this_ fault, but that
does not mean it is not affected by a similar
problem. (Tested against RPM 3.0.3 on SuSE 6.2)
Description:
It is possible to create an RPM (Redhat Package Management) file with
'corrupted' data that will cause arbitrary code to execute when the file
is queried. (eg: an rpm utility is used to gain information about the
contents of the file, such as version, build date etc, when checking the
file for corruptions against the stored MD5 sum, etc. )
Exploiting this bug would require the exploiter to know the location
in memory their shellcode will be stored in the heap, a value that is
sensitive to initial conditions, and also get the rpm to be accessed.
NB: Due to the environment variable LESSOPEN (in RH7.0) calling a
utility that itself calls rpm, viewing an RPM file with less is
also potentially dangerous.
(i.e. 'less file.rpm' will call /usr/bin/lesspipe.sh, which in turn
calls rpm)
Workaround: Don't even query files from untrusted sources.
(less file.rpm will query the file, on default settings!)
Fix: Patch should be avaliable (soon?) from RedHat.
Example of How this could be used in an Exploit to gain user lp:
1) Get an RPM file.
2) Modify its header so it will run your code.
3) Send it the the printer on a RH 7.0 system.
4) Do what you were going to do as user lp.
1) Either make one yourself, or download one of the net.
2) The tricky part. Requires a modifying the header so it is still
valid, but will corrupt the heap in such a way as to cause execution
of your shellcode, which must also be loaded into memory, when the
rpm is queried by the print filter (see 3).
3) The RedHat print system will select the 'RPM to ASCII" print filter
(/usr/lib/rhs/rhs-printfilters/rpm-to-asc.fpi) to print information
about the RPM out. In the process of doing this, it queries the file,
4) Maybe trojan any lp owned files, so when they are run by another user,
it will create a suid shell, owned by them, in a place you can find,
while retaining functionality of the trojaned programs.
-- zen-parse
(Vendors were originally notified of the problem 12th August 2001)
======================================================================
Chapel of Stilled Voices - http://mp3.com/cosv
'gone platinum' - Buy the CDs and support independent mucous.
'big in germany' - Music even.
=======================================================================
--
-------------------------------------------------------------------------
The preceding information is confidential and may not be redistributed
without explicit permission. Legal action may be taken to enforce this.
If this message was posted by zen-parse@gmx.net to a public forum it may
be redistributed as long as these conditions remain attached. If you are
mum or dad, this probably doesn't apply to you.
|
|
Go to the Top of This SecurityTracker Archive Page
|
