Star can call external programs specified by the RSH environment variable. This may permit a malicious local user to gain elevated privileges.
Star is a tape archiving program similar to tar. Star permits the use of storage devices on remote machines via an access program on the local machine. This access program is specified in the RSH environment variable. Star fails to drop the effective user ID (euid) when calling the program specified by the RSH environment variable.
By specifying a shell script of their own devising, malicious local users can execute arbitrary code with permissions of the star program. If star is suid root, the arbitrary code will run with root permissions.
This issue is resolved in star 1.5a46, available at the star download page.
In general, do not run programs as setuid root if such a permission level is not required.
Thanks to Joerg Schilling for reporting this vulnerability.
|Date First Published:||2004-09-16|
|Date Last Updated:||2004-09-17 18:44 UTC|