Overview
Some implementations of the Linux restoration utility, restore, call external programs on remote machines via the RSH environment variable. This may permit an attacker to compromise root if restore is setuid root.
Description
Some implementations of the Linux restoration utility, restore, permit use of storage devices on remote machines via an access program on the local machine. This access program is identified in the RSH environment variable. The value in the environment variable is not validated for security prior to its use in calling a program. In some implementations, restore is protected setuid root. |
Impact
By specifying a shell script of their own devising, malicious local users can exploit the setuid protection on restore to secure root access for themselves to execute arbitrary commands. |
Solution
Apply vendor patches; see the Systems Affected section below. |
Remove the setuid protection from restore. |
Vendor Information
CVSS Metrics
| Group | Score | Vector |
|---|---|---|
| Base | ||
| Temporal | ||
| Environmental |
References
Acknowledgements
This vulnerability was first reported through discussion on Bugtraq .
This document was last modified by Tim Shimeall.
Other Information
| CVE IDs: | CVE-2000-1125 |
| Severity Metric: | 20.06 |
| Date Public: | 2000-11-04 |
| Date First Published: | 2001-08-21 |
| Date Last Updated: | 2001-08-21 13:10 UTC |
| Document Revision: | 10 |