Vulnerability Note VU#960877

Red Hat linux restore uses insecure environment variables allowing root compromise

Overview

Some implementations of the Linux restoration utility, restore, call external programs on remote machines via the RSH environment variable. This may permit an attacker to compromise root if restore is setuid root.

I. Description

Some implementations of the Linux restoration utility, restore, permit use of storage devices on remote machines via an access program on the local machine. This access program is identified in the RSH environment variable. The value in the environment variable is not validated for security prior to its use in calling a program. In some implementations, restore is protected setuid root.

II. Impact

By specifying a shell script of their own devising, malicious local users can exploit the setuid protection on restore to secure root access for themselves to execute arbitrary commands.

III. Solution

Apply vendor patches; see the Systems Affected section below.

Remove the setuid protection from restore.

Systems Affected

Vendor	Status	Date Updated
Debian	Not Vulnerable	23-Jul-2001
Engarde	Not Vulnerable	23-Jul-2001
Hewlett Packard	Unknown	7-Aug-2001
OpenBSD	Not Vulnerable	23-Jul-2001
RedHat	Vulnerable	23-Jul-2001
SGI	Not Vulnerable	16-Jul-2001

References

http://www.kb.cert.org/vuls/id/153653
http://www.securityfocus.com/bid/1914

Credit

This vulnerability was first reported through discussion on Bugtraq .

This document was last modified by Tim Shimeall.

Other Information

Date Public	11/04/2000
Date First Published	08/21/2001 09:09:56 AM
Date Last Updated	08/21/2001
CERT Advisory
CVE Name	CAN-2000-1125
Metric	20.06
Document Revision	10

If you have feedback, comments, or additional information about this vulnerability, please send us email.