The `RPM::File#extract` method extracts the contents of the payload field of an rpm file into a Ruby data structure. The `RPM::File#files` method parses the contents of the payload field and returns a list of all the files contained in the rpm. Applications using these methods to check the integrity of RPM files are vulnerable to OS command injection. Worse, these methods are public and can be called by any program. To exploit this issue, a malicious RPM file can be crafted that contains a `payload_compressor` field. The following example is a valid RPM file which includes a field named `payload_compressor`: --- /^[0-9a-zA-Z_-]{10}$/ If this field is set to a value such as 'bzip2' or 'gz', the `extract` method will extract the contents of this field into the data structure passed to the method. An attacker can craft a RPM file with a `payload_compressor` field set to 'sh -c "echo hello > /tmp/payload"` and the `files` method will return a list of all the commands that will be executed when the RPM is installed. A malicious `payload_compressor` field can be used to craft an RPM file that executes any command. Exploiting this issue results in OS command injection.

OS command injection example

The following example is a valid RPM file which includes a malicious `payload_compressor` field: --- /^[0-9a-zA-Z_-]{10}$/ If the `payload_compressor` field is set to a value such as 'sh -c "echo hello > /tmp/payload", the `files` method will extract the contents of this field into the data structure passed to the method. An attacker can craft a RPM file with a malicious `payload_compressor` field and install it on an unpatched server. When this RPM file is installed, commands will be executed in the context of root which could allow an attacker to gain full control over that machine.

OS Command Injection

OS command injection is a class of vulnerabilities that occur when the operating system executes commands, typically with elevated privileges, on a vulnerable application. The most common form of OS Command Injection vulnerabilities are caused by the use of shell metacharacters in parameters to applications that assume an environment with no special characters. These vulnerabilities can be exploited by malicious attackers to execute arbitrary commands on the target system.

OS Command Injection: Theory

& Practical Implications
OS command injection is a common vulnerability often found in software designed to handle operating system commands. This type of vulnerability occurs when an attacker submits a crafted input field that causes a program to run a command of their choice. An example of this would be an application that handles commands from the OS and allows users to manage files. If the application allows users to manage files, an attacker could craft an RPM file using the following input:
"echo hello > /tmp/payload"
The `extract` method will extract the contents of this field into the data structure passed to it, which will then be passed as input to the `files` method. The `files` method will return a list of all the commands that will be executed for each file installed by this RPM file. Exploiting this issue results in OS command injection, which can lead to remote code execution on the system with root privileges.

Timeline

Published on: 09/21/2022 23:15:00 UTC
Last modified on: 09/26/2022 13:41:00 UTC

References