Bugtraq mailing list archives
Re: BRU Vulnerability
From: felicity () KLUGE NET (Theo Van Dinter)
Date: Sun, 11 Jun 2000 16:31:30 -0400
On Thu, Jun 08, 2000 at 02:05:26PM -0700, Jeremy Rauch wrote:
By default, BRU is installed setuid root. If it isn't, and is run by a non-root user, it complains: bru: [W171] warning - BRU must be owned by root and have suid bit set
Clarification request: Which version of BRU? I got the RPM version of BRU 2000 (v15 I believe) w/ a RedHat box set I bought one day:
rpm -q BRU2000
BRU2000-15.0P-2
rpm -V BRU2000
..?..... /bin/bru ..?..... /bru/bru S.5....T c /etc/brutab
ls -la /bin/bru
-rwx--x--x 1 root root 157396 Dec 18 1997 /bin/bru The "rpm -V" shows no permissions difference between installed and package, and the /bin/bru program isn't setuid. It does complain about being non-setuid, but it works just the same without it.
Many (most) users who install BRU probably never think to check if its installed setuid. Should it be? Probably not, but it is a very real vulnerability under a default install.
If you're worried about security, you should have done the standard find / -perm +6000 -print or the appropriate version thereof to find all of the setuid/gid programs on your system. Standard security practice. If it has it but doesn't need it, take it away. -- Randomly Generated Tagline: "Premature optimisation is the root of all evil." - Knuth
Current thread:
- BRU Vulnerability root (Jun 06)
- Re: BRU Vulnerability Gavrie Philipson (Jun 07)
- Re: BRU Vulnerability Jeremy Rauch (Jun 08)
- Re: BRU Vulnerability Theo Van Dinter (Jun 11)
- Re: BRU Vulnerability terry white (Jun 11)
- Exploit to the overflow in restore Ronald Huizer [Crew] (Jun 14)
- Remote DoS attack in Networks Associates PGP Certificate Server Version 2.5 Vulnerability Ussr Labs (Jun 14)
- BEA WebLogic JSP showcode vulnerability stuart.mcclure () FOUNDSTONE COM (Jun 11)
- Re: BRU Vulnerability Jeremy Rauch (Jun 08)
- Microsoft Security Bulletin (MS00-040) Microsoft Product Security (Jun 08)
- Mission statement for LKAP(Linux Kernel Auditing Project) Bryan Paxton (Jun 08)
- Re: BRU Vulnerability Gavrie Philipson (Jun 07)