Bugtraq mailing list archives
Security problem with Solstice Backup/Legato Networker recover command
From: cks () HAWKWIND UTCS TORONTO EDU (Chris Siebenmann)
Date: Tue, 4 Jan 2000 17:37:04 -0500
The 'recover' command in Solstice Backup (Sun's relabeled version of Legato Networker) on a Unix machine authorized to perform restore operations from the backup server can be used to by a normal user to restore any file accessible to the machine in a readable-to-them state (although it cannot be used to overwrite system files). This can be used to get your own copy of /etc/shadow for password cracking purposes, or simply to read other people's confidential files. We have been told that there is no way to restrict a machine so that it can perform backups but not recovers. (My group doesn't run the server, just some client machines.) Basic problem: the 'recover' command is an ordinary unprivileged program. Although it attempts to perform permission checking, it is trivial to fool it into thinking it is running as any arbitrary user, including root, by using such methods as a LD_PRELOAD'd library that overrides appropriate functions. This has obvious implications for the server <-> client protocol. Version information: our server is running Solstice Backup 5.1 with Sun patch 106408-5 (11Aug1999 patch) which is apparently equivalent to Legato Networker.5.1.Build.264. - cks
Current thread:
- Re: Symlinks and Cryogenic Sleep, (continued)
- Re: Symlinks and Cryogenic Sleep Olaf Kirch (Jan 04)
- Re: Symlinks and Cryogenic Sleep Henrik Nordstrom (Jan 04)
- First Telecom E-conso service totally insecure Thomas Quinot (Jan 03)
- Re: Symlinks and Cryogenic Sleep Goetz Babin-Ebell (Jan 04)
- Re: Symlinks and Cryogenic Sleep pedward () WEBCOM COM (Jan 04)
- Re: Symlinks and Cryogenic Sleep Christos Zoulas (Jan 04)
- Re: Symlinks and Cryogenic Sleep Mikael Olsson (Jan 05)
- Re: Symlinks and Cryogenic Sleep Marc Heuse (Jan 05)
- Re: Symlinks and Cryogenic Sleep Wietse Venema (Jan 04)
- Re: Symlinks and Cryogenic Sleep Pavel Machek (Jan 04)
- Security problem with Solstice Backup/Legato Networker recover command Chris Siebenmann (Jan 04)
- Local / Remote D.o.S Attack in IMail IMONITOR Server for WinNT Version 5.08 Ussr Labs (Jan 05)
- Re: Symlinks and Cryogenic Sleep Pavel Kankovsky (Jan 05)
- [RHSA-2000:002] New lpr packages available Bill Nottingham (Jan 07)
- Re: Symlinks and Cryogenic Sleep der Mouse (Jan 03)
- Re: Symlinks and Cryogenic Sleep Marc Heuse (Jan 04)
- Re: Symlinks and Cryogenic Sleep John Cochran (Jan 04)
- Re: Symlinks and Cryogenic Sleep Antonomasia (Jan 04)
- Re: Symlinks and Cryogenic Sleep Antonomasia (Jan 05)