what you don't know can hurt you
Home Files News &[SERVICES_TAB]About Contact Add New


Posted Nov 5, 2000
Authored by Dotslash

Mandrake 7.1's /usr/bin/urpmi allows attackers to install RPM's as root if they have an account in the urpmi group and possibly physical access.

tags | exploit, root
systems | linux, mandrake
SHA-256 | 7c9b89ae1b7901292c8d5b0902bedd8ccaad79f8cc4b4e2702d359ba016ff272


Change Mirror Download

Local Exploit Issue with:
The urpmi executable (perl script)

[root@localhost /root]# ls -al /usr/bin/urpmi
-rwsr-x--- 1 root urpmi 9352 Apr 4 2000 /usr/bin/urpmi*

This requires an account in the urpmi group. Possibly physical access to the box as well.

On Mandrake 7.1 the package urpmi was installed by default on my machine... I did not add my user to the urpmi group
gid 234(urpmi) it was like that when the user was added to my system. As you can see in the config file a User is aloud to install a
package if it resides in a directory that has been defined as being safe.

[root@localhost /root]# cat /etc/urpmi/urpmi.cfg
cdrom1 removable_cdrom_0://mnt/cdrom/Mandrake/RPMS
cdrom2 removable_cdrom_1://mnt/cdrom/Mandrake/RPMS2
cdrom3 removable_cdrom_2://mnt/cdrom/RPMS
cdrom4 removable_cdrom_3://mnt/cdrom/RPMS

urpmi enables non-superuser install of rpms. In fact, it
only authorizes well-known rpms to be installed.

All users belonging to group urpmi are allowed to install
Just launch urpmi followed by what you think is the name
of the package(s), and urpmi will install them

^---------- hrmm so lets say I have supermount enabled on my box
And my fstab looks something like this and of course the mtab having the appropreate entry also.
/dev/cdrom /mnt/cdrom auto user,noauto,nosuid,exec,nodev,ro 0 0

So I decide to burn myself a cd with a folder RPMS and I place exploitmeplease.i586.rpm in the folder.
Simply drop it in the cdrom drive and viola.

I should then as a member of the urpmi group be alloud to type:

[user@localhost /mnt/cdrom/RPMS]$ urpmi -ivh exploitmeplease

And procede to install my tools as root

Note that urpmi handle installations from various medias
(ftp, local and nfs volumes, removable medias such as
CDROMs) and is able to install dependencies from a media
different from the package's media. If necessary, urpmi
asks you to insert the required media.

^---------- thats cool it might even ask me to put in a cd... hrmm thats a bright idea. trojan dependancys for a package
you do have access to could be located on a different cd... thats really anal but theoretically it could happen.
Hell for all I know if you got lucky and there was a blank in the drive or if you can physically put a blank in the drive
you could maybe use the cdwriter exploit to burn your trojan cd.

Login or Register to add favorites

File Archive:

May 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    May 1st
    44 Files
  • 2
    May 2nd
    5 Files
  • 3
    May 3rd
    11 Files
  • 4
    May 4th
    0 Files
  • 5
    May 5th
    0 Files
  • 6
    May 6th
    28 Files
  • 7
    May 7th
    3 Files
  • 8
    May 8th
    4 Files
  • 9
    May 9th
    54 Files
  • 10
    May 10th
    12 Files
  • 11
    May 11th
    0 Files
  • 12
    May 12th
    0 Files
  • 13
    May 13th
    17 Files
  • 14
    May 14th
    11 Files
  • 15
    May 15th
    17 Files
  • 16
    May 16th
    13 Files
  • 17
    May 17th
    22 Files
  • 18
    May 18th
    0 Files
  • 19
    May 19th
    0 Files
  • 20
    May 20th
    0 Files
  • 21
    May 21st
    0 Files
  • 22
    May 22nd
    0 Files
  • 23
    May 23rd
    0 Files
  • 24
    May 24th
    0 Files
  • 25
    May 25th
    0 Files
  • 26
    May 26th
    0 Files
  • 27
    May 27th
    0 Files
  • 28
    May 28th
    0 Files
  • 29
    May 29th
    0 Files
  • 30
    May 30th
    0 Files
  • 31
    May 31st
    0 Files

Top Authors In Last 30 Days

File Tags


packet storm

© 2022 Packet Storm. All rights reserved.

Security Services
Hosting By