Security problem with Solstice Backup/Legato Networker recover command

Subject: Security problem with Solstice Backup/Legato Networker recover command
From: Chris Siebenmann (cksHAWKWIND.UTCS.TORONTO.EDU)
Date: Tue Jan 04 2000 - 16:37:04 CST

• Next message: Ussr Labs: "Local / Remote D.o.S Attack in IMail IMONITOR Server for WinNT Version 5.08"
• Previous message: Pavel Machek: "Re: Symlinks and Cryogenic Sleep"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

 The 'recover' command in Solstice Backup (Sun's relabeled version
of Legato Networker) on a Unix machine authorized to perform restore
operations from the backup server can be used to by a normal user to
restore any file accessible to the machine in a readable-to-them state
(although it cannot be used to overwrite system files).

 This can be used to get your own copy of /etc/shadow for password
cracking purposes, or simply to read other people's confidential files.

 We have been told that there is no way to restrict a machine so that it
can perform backups but not recovers. (My group doesn't run the server,
just some client machines.)

 Basic problem: the 'recover' command is an ordinary unprivileged
program. Although it attempts to perform permission checking, it is
trivial to fool it into thinking it is running as any arbitrary user,
including root, by using such methods as a LD_PRELOAD'd library that
overrides appropriate functions.

 This has obvious implications for the server <-> client protocol.

 Version information: our server is running Solstice Backup 5.1 with
Sun patch 106408-5 (11Aug1999 patch) which is apparently equivalent to
Legato Networker.5.1.Build.264.

        - cks

• Next message: Ussr Labs: "Local / Remote D.o.S Attack in IMail IMONITOR Server for WinNT Version 5.08"
• Previous message: Pavel Machek: "Re: Symlinks and Cryogenic Sleep"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b27 : Wed Jan 05 2000 - 17:26:57 CST