Advisory: Corrupt RPM Query Vulnerability

Type securityvulns
Reporter Securityvulns
Modified 2001-10-25T00:00:00


Description: Arbitrary command executing on query of corrupt RPM files (note: you do not have to install the file to be affected)

Severity: Very Low to Low (Unless running an lpd with no access restrictions, in which case, it may allow remote compromize.)

Affects: rpm-4.0.2-7x probably also earlier 4.0.x rpm packages (*) Also affects other programs using rpm 4.0.x libraries, including rpm2html.

(*) 3.0.x is not affected by this fault, but that does not mean it is not affected by a similar problem. (Tested against RPM 3.0.3 on SuSE 6.2)


It is possible to create an RPM (Redhat Package Management) file with 'corrupted' data that will cause arbitrary code to execute when the file is queried. (eg: an rpm utility is used to gain information about the contents of the file, such as version, build date etc, when checking the file for corruptions against the stored MD5 sum, etc. )

Exploiting this bug would require the exploiter to know the location in memory their shellcode will be stored in the heap, a value that is sensitive to initial conditions, and also get the rpm to be accessed.

NB: Due to the environment variable LESSOPEN (in RH7.0) calling a utility that itself calls rpm, viewing an RPM file with less is also potentially dangerous. (i.e. 'less file.rpm' will call /usr/bin/, which in turn calls rpm)

Workaround: Don't even query files from untrusted sources. (less file.rpm will query the file, on default settings!)

Fix: Patch should be avaliable (soon?) from RedHat.

Example of How this could be used in an Exploit to gain user lp:

1) Get an RPM file. 2) Modify its header so it will run your code. 3) Send it the the printer on a RH 7.0 system. 4) Do what you were going to do as user lp.

1) Either make one yourself, or download one of the net.

2) The tricky part. Requires a modifying the header so it is still valid, but will corrupt the heap in such a way as to cause execution of your shellcode, which must also be loaded into memory, when the rpm is queried by the print filter (see 3).

3) The RedHat print system will select the 'RPM to ASCII" print filter (/usr/lib/rhs/rhs-printfilters/rpm-to-asc.fpi) to print information about the RPM out. In the process of doing this, it queries the file,

4) Maybe trojan any lp owned files, so when they are run by another user, it will create a suid shell, owned by them, in a place you can find, while retaining functionality of the trojaned programs.

-- zen-parse

(Vendors were originally notified of the problem 12th August 2001)

====================================================================== Chapel of Stilled Voices - 'gone platinum' - Buy the CDs and support independent mucous. 'big in germany' - Music even. =======================================================================


The preceding information is confidential and may not be redistributed without explicit permission. Legal action may be taken to enforce this.
If this message was posted by to a public forum it may be redistributed as long as these conditions remain attached. If you are mum or dad, this probably doesn't apply to you.