Bugtraq mailing list archives

Previous By Date Next
Previous By Thread Next

Security problem with Solstice Backup/Legato Networker recover command

From: cks () HAWKWIND UTCS TORONTO EDU (Chris Siebenmann)
Date: Tue, 4 Jan 2000 17:37:04 -0500

 The 'recover' command in Solstice Backup (Sun's relabeled version
of Legato Networker) on a Unix machine authorized to perform restore
operations from the backup server can be used to by a normal user to
restore any file accessible to the machine in a readable-to-them state
(although it cannot be used to overwrite system files).

 This can be used to get your own copy of /etc/shadow for password
cracking purposes, or simply to read other people's confidential files.

 We have been told that there is no way to restrict a machine so that it
can perform backups but not recovers. (My group doesn't run the server,
just some client machines.)

 Basic problem: the 'recover' command is an ordinary unprivileged
program. Although it attempts to perform permission checking, it is
trivial to fool it into thinking it is running as any arbitrary user,
including root, by using such methods as a LD_PRELOAD'd library that
overrides appropriate functions.

 This has obvious implications for the server <-> client protocol.

 Version information: our server is running Solstice Backup 5.1 with
Sun patch 106408-5 (11Aug1999 patch) which is apparently equivalent to
Legato Networker.5.1.Build.264.

        - cks
Previous By Date Next
Previous By Thread Next

Current thread: