Vulnerability Note VU#960877

Red Hat linux restore uses insecure environment variables allowing root compromise

Original Release date: 21 Aug 2001 | Last revised: 21 Aug 2001


Some implementations of the Linux restoration utility, restore, call external programs on remote machines via the RSH environment variable. This may permit an attacker to compromise root if restore is setuid root.


Some implementations of the Linux restoration utility, restore, permit use of storage devices on remote machines via an access program on the local machine. This access program is identified in the RSH environment variable. The value in the environment variable is not validated for security prior to its use in calling a program. In some implementations, restore is protected setuid root.


By specifying a shell script of their own devising, malicious local users can exploit the setuid protection on restore to secure root access for themselves to execute arbitrary commands.


Apply vendor patches; see the Systems Affected section below.

Remove the setuid protection from restore.

Systems Affected (Learn More)

VendorStatusDate NotifiedDate Updated
RedHatAffected31 Oct 200023 Jul 2001
DebianNot Affected16 Jul 200123 Jul 2001
EngardeNot Affected16 Jul 200123 Jul 2001
OpenBSDNot Affected16 Jul 200123 Jul 2001
SGINot Affected16 Jul 200116 Jul 2001
Hewlett PackardUnknown16 Jul 200107 Aug 2001
If you are a vendor and your product is affected, let us know.

CVSS Metrics (Learn More)

Group Score Vector
Base N/A N/A
Temporal N/A N/A
Environmental N/A N/A



This vulnerability was first reported through discussion on Bugtraq .

This document was last modified by Tim Shimeall.

Other Information

  • CVE IDs: CAN-2000-1125
  • Date Public: 04 Nov 2000
  • Date First Published: 21 Aug 2001
  • Date Last Updated: 21 Aug 2001
  • Severity Metric: 20.06
  • Document Revision: 10


If you have feedback, comments, or additional information about this vulnerability, please send us email.