Bugtraq mailing list archives
Linux RedHat dump security hole
From: davem+ () andrew cmu edu (David J Meltzer)
Date: Tue, 23 Jan 1996 11:16:00 -0500
There is a security hole in RedHat 2.1, which installs /sbin/dump suid root. The dump program makes no provisions for checking file permissions, allowing any user on the system to read arbitrary files on the system. Dump checks permissions only on the directory you specify to backup, and not on files or subdirectories. The process to exploit this is to backup the files via dump as if it was a normal backup to a temporary file, and then restore the temporary file with /sbin/restore to your own directory. The solution is simple, don't run dump suid root on your system. Program: /sbin/dump incorrectly installed Affected Operating Systems: RedHat 2.1 linux distribution Requirements: account on system Patch: chmod -s /sbin/dump Security Compromise: read arbitrary files on system Author: Dave M. (davem () cmu edu) Synopsis: dump fails to check file permissions against user running dump, or to give up suid when backing up a filesystem. Exploit: $ /sbin/dump 0uf woot.dump DIRECTORY_FILE_TO_READ_IS_IN /-------------\ |David Meltzer| |davem () cmu edu| /--------------------------\ |School of Computer Science| |Carnegie Mellon University| \--------------------------/
Current thread:
- Re: World writable devices in Irix? Lack Mr G M (Jan 02)
- Re: World writable devices in Irix? Douglas Siebert (Jan 03)
- Linux: dip security hole Dan Walters (Jan 21)
- Linux RedHat dump security hole David J Meltzer (Jan 23)
- <Possible follow-ups>
- Re: World writable devices in Irix? Brad Powell (Jan 03)
- Linux SPLITVT bug (again) ALEXANDER SCHUETZ (Jan 04)