Lucene search
K
Catalog
Vendors
Products
Timeline
Vulnerabilities
Sources
Documentation
Blog
Glossary
FAQ
Brand assets
Assessment
Agents dashboard
Agent Scanning
API Scanning
Assessment API
Alerts
Email notifications
Webhook notifications
Alerts API
SBOM package analysis
API Reference
Support
Settings
Sign in

mandrake.urpmi.txt

🗓️ 05 Nov 2000 00:00:00Reported by DotslashType 
packetstorm
 packetstorm🔗 packetstormsecurity.com👁 47 Views

Local exploit in urpmi allows user to install packages as root using physical access.

Code
`  
  
  
Local Exploit Issue with:  
/usr/bin/urpmi  
The urpmi executable (perl script)  
  
[root@localhost /root]# ls -al /usr/bin/urpmi  
-rwsr-x--- 1 root urpmi 9352 Apr 4 2000 /usr/bin/urpmi*  
  
  
This requires an account in the urpmi group. Possibly physical access to the box as well.   
  
On Mandrake 7.1 the package urpmi was installed by default on my machine... I did not add my user to the urpmi group   
gid 234(urpmi) it was like that when the user was added to my system. As you can see in the config file a User is aloud to install a   
package if it resides in a directory that has been defined as being safe.   
  
[root@localhost /root]# cat /etc/urpmi/urpmi.cfg  
cdrom1 removable_cdrom_0://mnt/cdrom/Mandrake/RPMS  
cdrom2 removable_cdrom_1://mnt/cdrom/Mandrake/RPMS2  
cdrom3 removable_cdrom_2://mnt/cdrom/RPMS  
cdrom4 removable_cdrom_3://mnt/cdrom/RPMS  
  
DESCRIPTION  
urpmi enables non-superuser install of rpms. In fact, it  
only authorizes well-known rpms to be installed.  
  
All users belonging to group urpmi are allowed to install  
packages.  
Just launch urpmi followed by what you think is the name  
of the package(s), and urpmi will install them  
  
^---------- hrmm so lets say I have supermount enabled on my box   
And my fstab looks something like this and of course the mtab having the appropreate entry also.  
/dev/cdrom /mnt/cdrom auto user,noauto,nosuid,exec,nodev,ro 0 0  
  
So I decide to burn myself a cd with a folder RPMS and I place exploitmeplease.i586.rpm in the folder.  
Simply drop it in the cdrom drive and viola.   
  
I should then as a member of the urpmi group be alloud to type:  
  
[user@localhost /mnt/cdrom/RPMS]$ urpmi -ivh exploitmeplease  
  
And procede to install my tools as root  
  
  
Note that urpmi handle installations from various medias  
(ftp, local and nfs volumes, removable medias such as  
CDROMs) and is able to install dependencies from a media  
different from the package's media. If necessary, urpmi  
asks you to insert the required media.  
  
^---------- thats cool it might even ask me to put in a cd... hrmm thats a bright idea. trojan dependancys for a package   
you do have access to could be located on a different cd... thats really anal but theoretically it could happen.   
Hell for all I know if you got lucky and there was a blank in the drive or if you can physically put a blank in the drive  
you could maybe use the cdwriter exploit to burn your trojan cd.   
  
  
  
`

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

Book a live demo
05 Nov 2000 00:00Current
7.4High risk
Vulners AI Score7.4
local exploiturpmi executableuser permissionspackage installationphysical access.
47