[15306] in bugtraq
Re: BRU Vulnerability
daemon@ATHENA.MIT.EDU (Theo Van Dinter)
Mon Jun 12 01:20:52 2000
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Message-Id: <20000611163130.A3960@kluge.net>
Date: Sun, 11 Jun 2000 16:31:30 -0400
Reply-To: Theo Van Dinter <felicity@KLUGE.NET>
From: Theo Van Dinter <felicity@KLUGE.NET>
X-To: Jeremy Rauch <jrauch@SECURITYFOCUS.COM>
To: BUGTRAQ@SECURITYFOCUS.COM
In-Reply-To: <20000608140526.A24066@securityfocus.com>; from
jrauch@SECURITYFOCUS.COM on Thu, Jun 08, 2000 at 02:05:26PM -0700
On Thu, Jun 08, 2000 at 02:05:26PM -0700, Jeremy Rauch wrote:
> By default, BRU is installed setuid root. If it isn't, and is run by a
> non-root user, it complains:
> bru: [W171] warning - BRU must be owned by root and have suid bit set
Clarification request: Which version of BRU? I got the RPM version of
BRU 2000 (v15 I believe) w/ a RedHat box set I bought one day:
> rpm -q BRU2000
BRU2000-15.0P-2
> rpm -V BRU2000
..?..... /bin/bru
..?..... /bru/bru
S.5....T c /etc/brutab
> ls -la /bin/bru
-rwx--x--x 1 root root 157396 Dec 18 1997 /bin/bru
The "rpm -V" shows no permissions difference between installed and package,
and the /bin/bru program isn't setuid. It does complain about being
non-setuid, but it works just the same without it.
> Many (most) users who install BRU probably never think to check if its
> installed setuid. Should it be? Probably not, but it is a very real
> vulnerability under a default install.
If you're worried about security, you should have done the standard
find / -perm +6000 -print
or the appropriate version thereof to find all of the setuid/gid programs on
your system. Standard security practice. If it has it but doesn't need it,
take it away.
--
Randomly Generated Tagline:
"Premature optimisation is the root of all evil." - Knuth
