5196384 2000-06-15 03:03 /115 rader/ Postmaster
Mottagare: Bugtraq (import) <11303>
Ärende: Security Advisory: local ROOT exploit in BRU
------------------------------------------------------------
Approved-By: aleph1@SECURITYFOCUS.COM
Delivered-To: bugtraq@lists.securityfocus.com
Delivered-To: bugtraq@securityfocus.com
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Message-ID: <20000614173208.A20602@phoenix.calderasystems.com>
Date: Wed, 14 Jun 2000 17:32:08 -0600
Reply-To: Technical Support <support@PHOENIX.CALDERASYSTEMS.COM>
Sender: Bugtraq List <BUGTRAQ@SECURITYFOCUS.COM>
From: Technical Support <support@PHOENIX.CALDERASYSTEMS.COM>
X-To: announce@lists.calderasystems.com, linux-security@redhat.com
To: BUGTRAQ@SECURITYFOCUS.COM
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
______________________________________________________________________________
Caldera Systems, Inc. Security Advisory
Subject: local ROOT exploit in BRU
Advisory number: CSSA-2000-018.0
Issue date: 2000 June, 14
Cross reference:
______________________________________________________________________________
1. Problem Description
There is a serious vulnerability in the commandline option and
logfile handling of the BRU Backup Utility which can be exploited
by a local attacker to gain root access to the machine.
We ship BRU on the commercial software CD-ROM of our OpenLinux
productline, but it's not installed by default.
2. Vulnerable Versions
System Package
-----------------------------------------------------------
OpenLinux Desktop 2.3 up to BRU-15.1P-4
OpenLinux eServer 2.3 not included
and OpenLinux eBuilder
OpenLinux eDesktop 2.4 up to BRU-15.1D-8
3. Solution
Workaround:
If you do not need BRU, issue as root:
rpm -e BRU
Otherwise remove the suid-root bit by issuing as root:
chmod u-s /bru/bru /bin/bru
If you want to use BRU as a normal user, you have to point the
'BRUEXECLOG' environment variable to a file writeable by the user,
like
bash/sh:
BRUEXECLOG=~/.brulog
export BRUEXECLOG
tcsh/csh:
setenv BRUEXECLOG=~/.brulog
Also do ignore the
bru: [W171] warning - BRU must be owned by root and have suid bit set
warning on further BRU calls.
4. OpenLinux Desktop 2.3
See workaround above
5. OpenLinux eServer 2.3 and OpenLinux eBuilder for ECential 3.0
not included
6. OpenLinux eDesktop 2.4
See workaround above
7. References
This and other Caldera security resources are located at:
http://www.calderasystems.com/support/security/index.html
8. Disclaimer
Caldera Systems, Inc. is not responsible for the misuse of any of
the information we provide on this website and/or through our
security advisories. Our advisories are a service to our customers
intended to promote secure installation and use of Caldera
OpenLinux.
9. Acknowledgements
Caldera Systems wishes to thank the Network Security department of
Speakeasy Networks for discovering and reporting the bug, and
Enhanced Software Technologies, Inc. for suggesting the workaround.
______________________________________________________________________________
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.1 (GNU/Linux)
Comment: For info see http://www.gnupg.org
iD8DBQE5R3Fl18sy83A/qfwRArQvAJ4kXFmdyA+bAEeaOkYmsfsJkhNpxACfYYxP
/TBrKh4Lxxpb/Pe9Z/pMMnw=
=K8/3
-----END PGP SIGNATURE-----
(5196384) ------------------------------------------(Ombruten)