Source: security-advisories@github.com
eopkg is a Solus package manager implemented in python3. In versions prior to 4.4.0, a malicious package could escape the directory set by `--destdir`. This requires the installation of a package from a malicious or compromised source. Files in such packages would not be installed in the path given by `--destdir`, but on a different location on the host. The issue has been fixed in v4.4.0. Users only installing packages from the Solus repositories are not affected.
A critical vulnerability exists in the Solus package manager (eopkg) allowing a malicious package to escape the designated installation directory specified by --destdir. This flaw enables attackers to overwrite arbitrary files on the system, potentially leading to system compromise and data exfiltration.
Step 1: Payload Creation: An attacker crafts a malicious eopkg package. This package includes files with deliberately crafted paths designed to escape the --destdir setting. For example, a file entry might specify a path like ../../../etc/passwd.
Step 2: Package Delivery: The attacker either hosts the malicious package on a compromised or malicious repository, or convinces a user to download and install the package from a trusted, but compromised, source.
Step 3: Installation with --destdir: The victim, unaware of the malicious intent, uses eopkg with the --destdir option to install the compromised package. This option is intended to install the package to a specific directory.
Step 4: Path Traversal: During the installation process, eopkg processes the file entries within the package. Due to the vulnerability, the crafted paths are not properly sanitized or validated.
Step 5: File Overwrite: The files with malicious paths are written to locations outside the intended --destdir, potentially overwriting critical system files (e.g., /etc/passwd, /etc/shadow), or installing malicious executables.
The vulnerability stems from a flaw in how eopkg handles package installation paths when the --destdir option is used. The root cause is likely an improper sanitization or validation of file paths within the package metadata or installation scripts. Specifically, the code fails to adequately prevent path traversal attacks. A malicious package can include file entries with crafted paths (e.g., ../../../etc/passwd) that, when processed by eopkg, bypass the intended destination directory and write files to arbitrary locations on the filesystem. This can lead to overwriting critical system files, injecting malicious code, or gaining unauthorized access.
While no specific APTs are directly linked, this vulnerability is attractive to a wide range of threat actors. It could be leveraged by actors seeking initial access, privilege escalation, or data exfiltration. CISA KEV status: Not listed, but likely to be added if actively exploited.
Monitor file system activity for unexpected file modifications, especially in system directories (e.g., /etc, /usr/bin).
Analyze eopkg logs for suspicious package installations, particularly those involving packages from untrusted sources or with unusual file paths.
Implement file integrity monitoring (FIM) to detect unauthorized changes to critical system files.
Network monitoring for unusual outbound connections from the compromised system after package installation.
Upgrade eopkg to version 4.4.0 or later.
Verify the integrity of all installed packages, especially those from untrusted sources.
Review and harden the system's package repository configuration to ensure only trusted sources are used.
Implement a robust file integrity monitoring (FIM) solution to detect any unauthorized file modifications.
Regularly update the system to patch any other potential vulnerabilities.