Advisory: Corrupt RPM Query Vulnerability

[zen-parse <zen-parse () gmx net>]

Description: Arbitrary command executing on query of corrupt RPM files
             (note: you do not have to install the file to be affected)


Severity: Very Low to Low 
          (Unless running an lpd with no access restrictions,
          in which case, it may allow remote compromize.)


Affects: rpm-4.0.2-7x 
         probably also earlier 4.0.x rpm packages (*)
         Also affects other programs using rpm 4.0.x libraries,
         including rpm2html.

(*) 3.0.x is not affected by _this_ fault, but that
    does not mean it is not affected by a similar
    problem. (Tested against RPM 3.0.3 on SuSE 6.2)


Description:

  It is possible to create an RPM (Redhat Package Management) file with 
 'corrupted' data that will cause arbitrary code to execute when the file
 is queried. (eg: an rpm utility is used to gain information about the
 contents of the file, such as version, build date etc, when checking the
 file for corruptions against the stored MD5 sum, etc. )

  Exploiting this bug would require the exploiter to know the location 
 in memory their shellcode will be stored in the heap, a value that is 
 sensitive to initial conditions, and also get the rpm to be accessed.

NB: Due to the environment variable LESSOPEN (in RH7.0) calling a 
    utility that itself calls rpm, viewing an RPM file with less is 
    also potentially dangerous. 
    (i.e. 'less file.rpm' will call /usr/bin/lesspipe.sh, which in turn
    calls rpm) 


Workaround:  Don't even query files from untrusted sources.
             (less file.rpm will query the file, on default settings!)



Fix: Patch should be avaliable (soon?) from RedHat.


Example of How this could be used in an Exploit to gain user lp:

 1) Get an RPM file.
 2) Modify its header so it will run your code.
 3) Send it the the printer on a RH 7.0 system.
 4) Do what you were going to do as user lp.


 1) Either make one yourself, or download one of the net.  

 2) The tricky part. Requires a modifying the header so it is still
    valid, but will corrupt the heap in such a way as to cause execution
    of your shellcode, which must also be loaded into memory, when the
    rpm is queried by the print filter (see 3).

3) The RedHat print system will select the 'RPM to ASCII" print filter
   (/usr/lib/rhs/rhs-printfilters/rpm-to-asc.fpi) to print information
   about the RPM out. In the process of doing this, it queries the file,

4) Maybe trojan any lp owned files, so when they are run by another user, 
   it will create a suid shell, owned by them, in a place you can find,
   while retaining functionality of the trojaned programs.

-- zen-parse

(Vendors were originally notified of the problem 12th August 2001)

======================================================================
Chapel of Stilled Voices - http://mp3.com/cosv 
'gone platinum'          - Buy the CDs and support independent mucous.
'big in germany'         - Music even.
=======================================================================

-- 
-------------------------------------------------------------------------
The preceding information is confidential and may not be redistributed
without explicit permission. Legal action may be taken to enforce this.  
If this message was posted by zen-parse () gmx net to a public forum it may
be redistributed as long as these conditions remain attached. If you are
mum or dad, this probably doesn't apply to you.