Networker
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

[Networker] Security vulnerabilities in NetWorker -- what's being done?!!!

2003-04-21 11:40:28
Subject: [Networker] Security vulnerabilities in NetWorker -- what's being done?!!!
From: George Sinclair <George.Sinclair AT NOAA DOT GOV>
To: NETWORKER AT LISTMAIL.TEMPLE DOT EDU
Date: Mon, 21 Apr 2003 11:40:24 -0400 
Hi,

I have a very basic gripe/question regarding NetWorker. What's the deal
with this still present vulnerability in the nsrexecd daemon that allows
local host to connect?!!! Any user who can download a copy of the
nsrexec program can easily compromise security by gaining root access by
fooling the nsrexecd daemon into thinking he or she is root. The
nsrexecd daemon believes whatever nsrexec tells it -- I believe it uses
getuid -- so all one has to do is something like maybe loading your own
customized library path before the one that would normally get loaded by
the system and presto, you're root as far as nsrexecd is concerned which
can be told to do whatever nsrexec asks like launching a root shell. In
fact, you could just pass the necessary strings directly to the daemon.
I know t his has been better explained and documented elsewhere on the
web, but this is really bad, and we were told sometime ago that the
problem would be addressed in 7.2. Gee, 7.0 is barely out, and I
wouldn't trust it until it's tested its mettle as far as just basic
bugs.

What are we to do? I can't believe that NetWorker couldn't fix this
problem. All they need to do is just have the nsrexecd place a secret
somewhere that is accessible only by root and then have nsrexec prove
that it's being run by root by asking for the secret. If nsrexec is
really running as root, it could access the secret. Clearly, this
program could be made way safer -- not full proof- but wayyyy safer. In
fact, a drunken child with any C programming skills could probably fix
this real quick. Why hasn't Legato done something about this? Maybe they
have, and I'm just mistaken?

How are people protecting themselves against this vulnerability?! What
are we to do? I can't very well remove nsrexecd from the clients. It
seems to me that the only way to fix this is to re-write or patch
nsrexecd, but without the code we're screwed. It doesn't matter how up
to speed you are on OS security. I can't think of any way to make the
system safe against this exploit except not running nsrexecd -- only the
most necessary piece in the NetWorker backup suite! If there was just
some way to prevent people from connecting to the nsrexec daemon unless
they were root. Hmmm... Is there any way this could be wrapped somehow
or maybe run over an encrypted channel (ssh) where only root could open
the session. Does anyone have any ideas. This is particularly bad for
machines outside firewalls.

George

--
Note: To sign off this list, send a "signoff networker" command via email
to listserv AT listmail.temple DOT edu or visit the list's Web site at
http://listmail.temple.edu/archives/networker.html where you can
also view and post messages to the list.
=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=
[More with this subject...]
<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: [Networker] GroupWise, Cigdem OZTURE
Next by Date:  Re: [Networker] Merits of cloning versus dual backups?, George Sinclair
Previous by Thread:  [Networker] GroupWise, Osvaldo Lehmann
Next by Thread:  Re: [Networker] Security vulnerabilities in NetWorker -- what's being done?!!!, George Sinclair
Indexes:  [Date] [Thread] [Top] [All Lists]