Vulnerability Note VU#153653

Overview

Some implementations of the Linux backup utility, dump, call external programs on remote machines via the RSH environment variable. This may permit an attacker to compromise root if dump is setuid root.

Description

Some implementations of the Linux backup utility, dump, permit use of backup devices on remote machines via an access program on the local machine. This access program is identified in the RSH environment variable. The value in the environment variable is not validated for security prior to its use in calling a program. In some implementations, dump is protected setuid root.

Impact

By specifying a shell script of their own devising, malicious local users can exploit the setuid protection on dump to secure root access for themselves to execute arbitrary commands.

Solution

Apply vendor patches; see the Systems Affected section below.

Remove suid protection from dump.

Systems Affected

Vendor	Status	Date Notified	Date Updated
Conectiva	Not Vulnerable	31 Oct 2000	20 Apr 2002
Debian	Not Vulnerable	16 Jul 2001	20 Apr 2002
Engarde	Not Vulnerable	16 Jul 2001	20 Apr 2002
Hewlett Packard	Unknown	16 Jul 2001	20 Apr 2002
MandrakeSoft	Not Vulnerable	31 Oct 2000	20 Apr 2002
OpenBSD	Not Vulnerable	16 Jul 2001	20 Apr 2002
RedHat	Vulnerable	31 Oct 2000	20 Apr 2002
SGI	Not Vulnerable	16 Jul 2001	20 Apr 2002

CVSS Metrics (Learn More)

Group	Score	Vector
Base	N/A	N/A
Temporal	N/A	N/A
Environmental	N/A	N/A

References

• http://www.kb.cert.org/vuls/id/960877
• http://www.securityfocus.com/bid/1871
• http://www.linuxsecurity.com/advisories/redhat_advisory-849.html
• http://xforce.iss.net/static/5437.php

Credit

This vulnerability was first reported throught discussion on Bugtraq

This document was last modified by Tim Shimeall.

Other Information

• CVE IDs: CAN-2000-1009
• Date Public: 31 Oct 2000
• Date First Published: 21 Aug 2001
• Date Last Updated: 21 Aug 2001
• Severity Metric: 18.88
• Document Revision: 9

Was this document helpful?   Yes   |   Somewhat   |  No