Bugtraq mailing list archives
Security Advisory: local ROOT exploit in BRU
From: support () PHOENIX CALDERASYSTEMS COM (Technical Support)
Date: Wed, 14 Jun 2000 17:32:08 -0600
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ______________________________________________________________________________ Caldera Systems, Inc. Security Advisory Subject: local ROOT exploit in BRU Advisory number: CSSA-2000-018.0 Issue date: 2000 June, 14 Cross reference: ______________________________________________________________________________ 1. Problem Description There is a serious vulnerability in the commandline option and logfile handling of the BRU Backup Utility which can be exploited by a local attacker to gain root access to the machine. We ship BRU on the commercial software CD-ROM of our OpenLinux productline, but it's not installed by default. 2. Vulnerable Versions System Package ----------------------------------------------------------- OpenLinux Desktop 2.3 up to BRU-15.1P-4 OpenLinux eServer 2.3 not included and OpenLinux eBuilder OpenLinux eDesktop 2.4 up to BRU-15.1D-8 3. Solution Workaround: If you do not need BRU, issue as root: rpm -e BRU Otherwise remove the suid-root bit by issuing as root: chmod u-s /bru/bru /bin/bru If you want to use BRU as a normal user, you have to point the 'BRUEXECLOG' environment variable to a file writeable by the user, like bash/sh: BRUEXECLOG=~/.brulog export BRUEXECLOG tcsh/csh: setenv BRUEXECLOG=~/.brulog Also do ignore the bru: [W171] warning - BRU must be owned by root and have suid bit set warning on further BRU calls. 4. OpenLinux Desktop 2.3 See workaround above 5. OpenLinux eServer 2.3 and OpenLinux eBuilder for ECential 3.0 not included 6. OpenLinux eDesktop 2.4 See workaround above 7. References This and other Caldera security resources are located at: http://www.calderasystems.com/support/security/index.html 8. Disclaimer Caldera Systems, Inc. is not responsible for the misuse of any of the information we provide on this website and/or through our security advisories. Our advisories are a service to our customers intended to promote secure installation and use of Caldera OpenLinux. 9. Acknowledgements Caldera Systems wishes to thank the Network Security department of Speakeasy Networks for discovering and reporting the bug, and Enhanced Software Technologies, Inc. for suggesting the workaround. ______________________________________________________________________________ -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.1 (GNU/Linux) Comment: For info see http://www.gnupg.org iD8DBQE5R3Fl18sy83A/qfwRArQvAJ4kXFmdyA+bAEeaOkYmsfsJkhNpxACfYYxP /TBrKh4Lxxpb/Pe9Z/pMMnw= =K8/3 -----END PGP SIGNATURE-----
Current thread:
- Sendmail local root exploit on linux 2.2.x Florian Heinz (Jun 08)
- Snort 1.6 and nmap 2.54beta1 Galileo (May 12)
- Re: Snort 1.6 and nmap 2.54beta1 Simple Nomad (Jun 14)
- Security Advisory: REMOTE ROOT VULNERABILITY IN GSSFTP DAEMON Tom Yu (Jun 14)
- Security Advisory: local ROOT exploit in BRU Technical Support (Jun 14)
- Re: Snort 1.6 and nmap 2.54beta1 Martin Roesch (Jun 14)
- Re: Sendmail local root exploit on linux 2.2.x Mark K. Pettit (Jun 08)
- Reporting Security Issues to Microsoft Microsoft Security Response Center (Jun 08)
- Re: Sendmail local root exploit on linux 2.2.x Christophe GRENIER (Jun 08)
- arprelay: a tool to edit TCP connections in a LAN Felix von Leitner (Jun 09)
- Re: Sendmail local root exploit on linux 2.2.x Alan Iwi (Jun 12)
- Splitvt exploit syzop (Jun 14)
- Re: Splitvt exploit Joey Hess (Jun 14)
- Re: Splitvt exploit Andrey Savochkin (Jun 16)
- Re: Splitvt exploit Joey Hess (Jun 16)
- Re: Splitvt exploit Joey Hess (Jun 14)
- Snort 1.6 and nmap 2.54beta1 Galileo (May 12)