BRU (Backup and Recovery Utility) poor permissions

Summary
Description:This commercial UNIX backup program creates the /usr/local/lib/bru directory mode 777. This directory apparently contains sources. Enough said.
Author:Kyle Amon <amonk@GNUTEC.COM>
Compromise: root (local)
Vulnerable Systems:Any running vulnerable version of BRU (There is a Linux version, probably also Solaris and other *NIX).
Date:8 November 1997
Details


Date: Sat, 8 Nov 1997 00:58:54 -0500
From: Kyle Amon <amonk@GNUTEC.COM>
To: BUGTRAQ@NETSPACE.ORG
Subject: xbru vulnerability

BRU (Backup and Recovery Utility) is a fairly commonly used commercial
UNIX backup program available from EST, Inc. (Enhanced Software Technologies).
They have a website at http://www.estinc.com and were instrumental in some
of the recent FTAPE driver improvements for Linux.  All in all it's a
great program, however they have added a new tcl/tk based GUI interface
which installs with inappropriate permissions.  Below is an abreviated
version of a conversation I recently had with them.

[me]
> I recently bought bru (full version) for Linux.  When xbru installs, it
> creates a /usr/local/lib/bru directory with mode 777.  Is this mode
> required for some reason?  Because, if not, it looks a little loose to me?

[est]
> Yes, at the present time it does need to be 777.  Bru does some work which
> requires that mode; however, I've turned this one over to our programming shop
> to look at a change to this in the future.  Thank you for the inquiry.

[me]
> Hmm.  Doesn't that seem like a bad idea?  What's to keep any of my users
> from mucking about in there?  Nothing.  And what about a tcl/tk proficient
> user?  Since xbru would be run as root more often than not, what's to keep
> them from adding some nasties to the source?  Nothing.  It looks like a
> pretty major security hole to me.

[est]
> I passed your message on to our engineering staff for future implementations
> and, about two minutes later, the senior member was in my office with concern
> written on his face :(
>
> It appears as though the program was NOT suppose to go out 777 -- rather
> 1777.  That little sticky bit of a difference provides for the security of
> ownership.  Thank you for bringing this to our attention.
>
> You can make the following change to your system as shown:
>
>        chmod 1777 /usr/local/lib/bru   (assuming root login)

- Kyle

Kyle Amon                     email: amonk@raleigh.ibm.com
Unix Systems Administrator    phone: (203) 486-3290
Security Specialist           pager: 1-800-759-8888 PIN 1616512
IBM Global Services                  or 1616512@skymail.com (240 char max)
                              email: amonk@gnutec.com
                              url:   http://www.gnutec.com/kyle
KeyID 1024/173D96C9
Fingerprint = 90 4F 0B D4 2D 37 E7 61  1A 31 7B F2 72 04 66 1A

Windows 95:  A 32-bit patch for a 16-bit GUI shell running on top of an
             8-bit operating system written for a 4-bit processor by a
             2-bit company who cannot stand 1 bit of competition.

More Exploits!

The master index of all exploits is available here (Very large file)
Or you can pick your favorite operating system:
All OS's Linux Solaris/SunOS Micro$oft
*BSD Macintosh AIX IRIX
ULTRIX/Digital UNIX HP/UX SCO Remote exploits

This page is part of Fyodor's exploit world. For a free program to automate scanning your network for vulnerable hosts and services, check out my network mapping tool, nmap. Or try these Insecure.Org resources: