CERT home
vulnerabilities & fixesevaluations & practicesresearch & analysistraining & education
homesearchFAQsite indexcontact
Vulnerability
Notes
Database

Search Vulnerability Notes

Vulnerability Notes Help Information
 

 View Notes By
Name

ID Number

CVE Name

Date Public

Date Published

Date Updated

Severity Metric

Vulnerability Note VU#153653

Linux dump uses environment variables insecurely, allowing for root compromise

Overview

Some implementations of the Linux backup utility, dump, call external programs on remote machines via the RSH environment variable. This may permit an attacker to compromise root if dump is setuid root.

I. Description

Some implementations of the Linux backup utility, dump, permit use of backup devices on remote machines via an access program on the local machine. This access program is identified in the RSH environment variable. The value in the environment variable is not validated for security prior to its use in calling a program. In some implementations, dump is protected setuid root.

II. Impact

By specifying a shell script of their own devising, malicious local users can exploit the setuid protection on dump to secure root access for themselves to execute arbitrary commands.

III. Solution

Apply vendor patches; see the Systems Affected section below.

Remove suid protection from dump.

Systems Affected

VendorStatusDate Updated
ConectivaNot Vulnerable3-Jul-2001
DebianNot Vulnerable23-Jul-2001
EngardeNot Vulnerable23-Jul-2001
Hewlett PackardUnknown7-Aug-2001
MandrakeSoftNot Vulnerable3-Jul-2001
OpenBSDNot Vulnerable16-Jul-2001
RedHatVulnerable3-Jul-2001
SGINot Vulnerable16-Jul-2001

References

http://www.kb.cert.org/vuls/id/960877
http://www.securityfocus.com/bid/1871
http://www.linuxsecurity.com/advisories/redhat_advisory-849.html
http://xforce.iss.net/static/5437.php

Credit

This vulnerability was first reported throught discussion on Bugtraq

This document was last modified by Tim Shimeall.

Other Information

Date Public10/31/2000
Date First Published08/21/2001 09:07:42 AM
Date Last Updated08/21/2001
CERT Advisory 
CVE NameCAN-2000-1009
Metric18.88
Document Revision9

If you have feedback, comments, or additional information about this vulnerability, please send us email.
 

Copyright 2001 Carnegie Mellon University