BRU (Backup and Recovery Utility) poor permissions
Description: | This commercial UNIX backup program creates the /usr/local/lib/bru directory mode 777. This directory apparently contains sources. Enough said. |
Author: | Kyle Amon <amonk@GNUTEC.COM> |
Compromise: | root (local) |
Vulnerable Systems: | Any running vulnerable version of BRU (There is a Linux version, probably also Solaris and other *NIX). |
Date: | 8 November 1997 |
Date: Sat, 8 Nov 1997 00:58:54 -0500
From: Kyle Amon <amonk@GNUTEC.COM>
To: BUGTRAQ@NETSPACE.ORG
Subject: xbru vulnerability
BRU (Backup and Recovery Utility) is a fairly commonly used commercial
UNIX backup program available from EST, Inc. (Enhanced Software Technologies).
They have a website at http://www.estinc.com and were instrumental in some
of the recent FTAPE driver improvements for Linux. All in all it's a
great program, however they have added a new tcl/tk based GUI interface
which installs with inappropriate permissions. Below is an abreviated
version of a conversation I recently had with them.
[me]
> I recently bought bru (full version) for Linux. When xbru installs, it
> creates a /usr/local/lib/bru directory with mode 777. Is this mode
> required for some reason? Because, if not, it looks a little loose to me?
[est]
> Yes, at the present time it does need to be 777. Bru does some work which
> requires that mode; however, I've turned this one over to our programming shop
> to look at a change to this in the future. Thank you for the inquiry.
[me]
> Hmm. Doesn't that seem like a bad idea? What's to keep any of my users
> from mucking about in there? Nothing. And what about a tcl/tk proficient
> user? Since xbru would be run as root more often than not, what's to keep
> them from adding some nasties to the source? Nothing. It looks like a
> pretty major security hole to me.
[est]
> I passed your message on to our engineering staff for future implementations
> and, about two minutes later, the senior member was in my office with concern
> written on his face :(
>
> It appears as though the program was NOT suppose to go out 777 -- rather
> 1777. That little sticky bit of a difference provides for the security of
> ownership. Thank you for bringing this to our attention.
>
> You can make the following change to your system as shown:
>
> chmod 1777 /usr/local/lib/bru (assuming root login)
- Kyle
Kyle Amon email: amonk@raleigh.ibm.com
Unix Systems Administrator phone: (203) 486-3290
Security Specialist pager: 1-800-759-8888 PIN 1616512
IBM Global Services or 1616512@skymail.com (240 char max)
email: amonk@gnutec.com
url: http://www.gnutec.com/kyle
KeyID 1024/173D96C9
Fingerprint = 90 4F 0B D4 2D 37 E7 61 1A 31 7B F2 72 04 66 1A
Windows 95: A 32-bit patch for a 16-bit GUI shell running on top of an
8-bit operating system written for a 4-bit processor by a
2-bit company who cannot stand 1 bit of competition.
The master index of all exploits is available
here (Very large file)
Or you can pick your favorite operating system:
This page is part of Fyodor's exploit
world.
For a free program to automate scanning your network for vulnerable
hosts and services, check out my network mapping tool, nmap. Or try these Insecure.Org resources: