Bugtraq mailing list archives

Re: BRU Vulnerability

From: gavrie () NETMOR COM (Gavrie Philipson)
Date: Thu, 8 Jun 2000 09:28:48 +0300


root wrote:

BRU backup software Vulnerability:

        Description:
                You can change the log file BRU uses by changing the
                BRUEXECLOG environment variable. Since bru is setuid
                root you can append to any file on the system.


Why, am I wondering, would a sane person install BRU with setuid
permissions?
That's like installing tar with setuid permissions and wondering about
overwritten files.

On my systems, BRU words fine without any setuid/setgid perms.

Gavrie.

--
Gavrie Philipson
Netmor Applied Modeling Research Ltd.

Current thread:

BRU Vulnerability root (Jun 06)
- Re: BRU Vulnerability Gavrie Philipson (Jun 07)
  - Re: BRU Vulnerability Jeremy Rauch (Jun 08)
    - Re: BRU Vulnerability Theo Van Dinter (Jun 11)
    - Re: BRU Vulnerability terry white (Jun 11)
    - Exploit to the overflow in restore Ronald Huizer [Crew] (Jun 14)
    - Remote DoS attack in Networks Associates PGP Certificate Server Version 2.5 Vulnerability Ussr Labs (Jun 14)
    - BEA WebLogic JSP showcode vulnerability stuart.mcclure () FOUNDSTONE COM (Jun 11)
  - Microsoft Security Bulletin (MS00-040) Microsoft Product Security (Jun 08)
  - Mission statement for LKAP(Linux Kernel Auditing Project) Bryan Paxton (Jun 08)