BID:1871

Multiple Vendor dump Insecure Environment Variables Vulnerability

Info

Multiple Vendor dump Insecure Environment Variables Vulnerability

Bugtraq ID:	1871
Class:	Input Validation Error
CVE:	CVE-2000-1009
Remote:	No
Local:	Yes
Published:	Oct 31 2000 12:00AM
Updated:	Jul 11 2009 03:56AM
Credit:	This vulnerability was first publicly released to BugTraq by [email protected] on October 31, 2000.
Vulnerable:	Wirex Immunix OS 6.2 Trustix Secure Linux 1.1 Redhat dump 0.4 b15-1 + Redhat Linux 6.2 sparc + Redhat Linux 6.2 i386 + Redhat Linux 6.2 alpha NetBSD NetBSD 1.5.1 NetBSD NetBSD 1.5

Not Vulnerable:	Redhat Linux 7.0 NetBSD NetBSD 1.5.2 Mandriva Linux Mandrake 7.1 Mandriva Linux Mandrake 7.0 Mandriva Linux Mandrake 6.1 Mandriva Linux Mandrake 6.0

Discussion

Multiple Vendor dump Insecure Environment Variables Vulnerability

dump is a utility included with various UNIX clones for the purpose of dumping filesystems. A vulnerability exists in the dump package that allows suid execution of other executables.

The dump command is dependent upon the RSH and TAPE environment variables for proper execution in Linux, and the RCMD_CMD environment variable in NetBSD. It is possible for a malicious user to set the RSH or RCMD_CMD environment variable path to any executable. Upon execution of dump program, the file referenced in the path of the environment variable will be executed with suid root priviledges. Successful exploitation of this vulnerability results in root compromise.

Exploit / POC

Solution / Fix

Multiple Vendor dump Insecure Environment Variables Vulnerability

Solution:
Patches available:

Redhat dump 0.4 b15-1

Red Hat Inc. 5.2 alpha dump-0.4b19-5.5x.alpha.rpm
ftp://updates.redhat.com/5.2/alpha/dump-0.4b19-5.5x.alpha.rpm

Red Hat Inc. 5.2 alpha dump-static-0.4b19-5.5x.alpha.rpm
http://www.securityfocus.com/external/ftp://updates.redhat.com/5.2/alp ha/dump-static-0.4b19-5.5x.alpha.rpm

Red Hat Inc. 5.2 alpha rmt-0.4b19-5.5x.alpha.rpm
ftp://updates.redhat.com/5.2/alpha/rmt-0.4b19-5.5x.alpha

Red Hat Inc. 5.2 i386 dump-0.4b19-5.5x.i386.rpm
ftp://updates.redhat.com/5.2/i386/dump-0.4b19-5.5x.i386.rpm

Red Hat Inc. 5.2 i386 dump-static-0.4b19-5.5x.i386.rpm
ftp://updates.redhat.com/5.2/i386/dump-static-0.4b19-5.5x.i386.rpm

Red Hat Inc. 5.2 i386 rmt-0.4b19-5.5x.i386.rpm
ftp://updates.redhat.com/5.2/i386/rmt-0.4b19-5.5x.i386.rpm

Red Hat Inc. 5.2 source dump-0.4b19-5.5x.src.rpm
ftp://updates.redhat.com/5.2/SRPMS/dump-0.4b19-5.5x.src.rpm

Red Hat Inc. 5.2 sparc dump-0.4b19-5.5x.sparc.rpm
ftp://updates.redhat.com/5.2/sparc/dump-0.4b19-5.5x.sparc.rpm

Red Hat Inc. 5.2 sparc dump-static-0.4b19-5.5x.sparc.rpm
ftp://updates.redhat.com/5.2/sparc/dump-static-0.4b19-5.5x.sparc.rpm

Red Hat Inc. 5.2 sparc rmt-0.4b19-5.5x.sparc.rpm
ftp://updates.redhat.com/5.2/sparc/rmt-0.4b19-5.5x.sparc.rpm

Red Hat Inc. 6.2 alpha dump-0.4b19-5.6x.alpha.rpm
ftp://updates.redhat.com/6.2/alpha/dump-0.4b19-5.6x.alpha.rpm

Red Hat Inc. 6.2 alpha dump-static-0.4b19-5.6x.alpha.rpm
ftp://updates.redhat.com/6.2/alpha/dump-static-0.4b19-5.6x.alpha.rpm

Red Hat Inc. 6.2 alpha rmt-0.4b19-5.6x.alpha.rpm
ftp://updates.redhat.com/6.2/alpha/rmt-0.4b19-5.6x.alpha.rpm

Red Hat Inc. 6.2 i386 dump-0.4b19-5.6x.i386.rpm
ftp://updates.redhat.com/6.2/i386/dump-0.4b19-5.6x.i386.rpm

Red Hat Inc. 6.2 i386 dump-static-0.4b19-5.6x.i386.rpm
ftp://updates.redhat.com/6.2/i386/dump-static-0.4b19-5.6x.i386.rpm

Red Hat Inc. 6.2 i386 rmt-0.4b19-5.6x.i386.rpm
ftp://updates.redhat.com/6.2/i386/rmt-0.4b19-5.6x.i386.rpm

Red Hat Inc. 6.2 source dump-0.4b19-5.6x.src.rpm
ftp://updates.redhat.com/6.2/SRPMS/dump-0.4b19-5.6x.src.rpm

Red Hat Inc. 6.2 sparc dump-0.4b19-5.6x.sparc.rpm
ftp://updates.redhat.com/6.2/sparc/dump-0.4b19-5.6x.sparc.rpm

Red Hat Inc. 6.2 sparc dump-static-0.4b19-5.6x.sparc.rpm
ftp://updates.redhat.com/6.2/sparc/dump-static-0.4b19-5.6x.sparc.rpm

Red Hat Inc. 6.2 sparc rmt-0.4b19-5.6x.sparc.rpm
ftp://updates.redhat.com/6.2/sparc/rmt-0.4b19-5.6x.sparc.rpm

NetBSD NetBSD 1.5

NetBSD SA2001-014-dump-1.5.patch
ftp://ftp.netbsd.org/pub/NetBSD/security/patches/SA2001-014-dump-1.5.p atch

NetBSD NetBSD 1.5.1

NetBSD SA2001-014-dump-1.5.patch
ftp://ftp.netbsd.org/pub/NetBSD/security/patches/SA2001-014-dump-1.5.p atch

Wirex Immunix OS 6.2

Wirex 6.2 i386 dump-0.4b19-5.6x_StackGuard.i386.rpm
http://immunix.org/ImmunixOS/6.2/updates/RPMS/dump-0.4b19-5.6x_StackGu ard.i386.rpm

WireX 6.2 i386 dump-static-0.4b19-5.6x_StackGuard.i386.rpm
http://immunix.org/ImmunixOS/6.2/updates/RPMS/dump-static-0.4b19-5.6x_ StackGuard.i386.rpm

References

Multiple Vendor dump Insecure Environment Variables Vulnerability

References: