[15348] in bugtraq
Security Advisory: local ROOT exploit in BRU
daemon@ATHENA.MIT.EDU (Technical Support)
Wed Jun 14 21:07:33 2000
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Message-Id: <20000614173208.A20602@phoenix.calderasystems.com>
Date: Wed, 14 Jun 2000 17:32:08 -0600
Reply-To: Technical Support <support@PHOENIX.CALDERASYSTEMS.COM>
From: Technical Support <support@PHOENIX.CALDERASYSTEMS.COM>
X-To: announce@lists.calderasystems.com, linux-security@redhat.com
To: BUGTRAQ@SECURITYFOCUS.COM
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
______________________________________________________________________________
Caldera Systems, Inc. Security Advisory
Subject: local ROOT exploit in BRU
Advisory number: CSSA-2000-018.0
Issue date: 2000 June, 14
Cross reference:
______________________________________________________________________________
1. Problem Description
There is a serious vulnerability in the commandline option and logfile
handling of the BRU Backup Utility which can be exploited by a local
attacker to gain root access to the machine.
We ship BRU on the commercial software CD-ROM of our OpenLinux productline,
but it's not installed by default.
2. Vulnerable Versions
System Package
-----------------------------------------------------------
OpenLinux Desktop 2.3 up to BRU-15.1P-4
OpenLinux eServer 2.3 not included
and OpenLinux eBuilder
OpenLinux eDesktop 2.4 up to BRU-15.1D-8
3. Solution
Workaround:
If you do not need BRU, issue as root:
rpm -e BRU
Otherwise remove the suid-root bit by issuing as root:
chmod u-s /bru/bru /bin/bru
If you want to use BRU as a normal user, you have to point the 'BRUEXECLOG'
environment variable to a file writeable by the user, like
bash/sh:
BRUEXECLOG=~/.brulog
export BRUEXECLOG
tcsh/csh:
setenv BRUEXECLOG=~/.brulog
Also do ignore the
bru: [W171] warning - BRU must be owned by root and have suid bit set
warning on further BRU calls.
4. OpenLinux Desktop 2.3
See workaround above
5. OpenLinux eServer 2.3 and OpenLinux eBuilder for ECential 3.0
not included
6. OpenLinux eDesktop 2.4
See workaround above
7. References
This and other Caldera security resources are located at:
http://www.calderasystems.com/support/security/index.html
8. Disclaimer
Caldera Systems, Inc. is not responsible for the misuse of any of the
information we provide on this website and/or through our security
advisories. Our advisories are a service to our customers intended to
promote secure installation and use of Caldera OpenLinux.
9. Acknowledgements
Caldera Systems wishes to thank the Network Security department of Speakeasy
Networks for discovering and reporting the bug, and Enhanced Software
Technologies, Inc. for suggesting the workaround.
______________________________________________________________________________
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.1 (GNU/Linux)
Comment: For info see http://www.gnupg.org
iD8DBQE5R3Fl18sy83A/qfwRArQvAJ4kXFmdyA+bAEeaOkYmsfsJkhNpxACfYYxP
/TBrKh4Lxxpb/Pe9Z/pMMnw=
=K8/3
-----END PGP SIGNATURE-----
