Networker
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: [Networker] Security vulnerabilities in NetWorker -- what's being done?!!!

2003-04-21 19:46:50
Subject: Re: [Networker] Security vulnerabilities in NetWorker -- what's being done?!!!
From: George Sinclair <George.Sinclair AT NOAA DOT GOV>
To: NETWORKER AT LISTMAIL.TEMPLE DOT EDU
Date: Mon, 21 Apr 2003 19:46:46 -0400 
I think I may have been talking about an older known exploit. There were
some issue with ip spoofing and recover or log files. I guess the log
file bug was fixed in 6.1.1

George

George Sinclair wrote:
>
> Hi,
>
> I have a very basic gripe/question regarding NetWorker. What's the deal
> with this still present vulnerability in the nsrexecd daemon that allows
> local host to connect?!!! Any user who can download a copy of the
> nsrexec program can easily compromise security by gaining root access by
> fooling the nsrexecd daemon into thinking he or she is root. The
> nsrexecd daemon believes whatever nsrexec tells it -- I believe it uses
> getuid -- so all one has to do is something like maybe loading your own
> customized library path before the one that would normally get loaded by
> the system and presto, you're root as far as nsrexecd is concerned which
> can be told to do whatever nsrexec asks like launching a root shell. In
> fact, you could just pass the necessary strings directly to the daemon.
> I know t his has been better explained and documented elsewhere on the
> web, but this is really bad, and we were told sometime ago that the
> problem would be addressed in 7.2. Gee, 7.0 is barely out, and I
> wouldn't trust it until it's tested its mettle as far as just basic
> bugs.
>
> What are we to do? I can't believe that NetWorker couldn't fix this
> problem. All they need to do is just have the nsrexecd place a secret
> somewhere that is accessible only by root and then have nsrexec prove
> that it's being run by root by asking for the secret. If nsrexec is
> really running as root, it could access the secret. Clearly, this
> program could be made way safer -- not full proof- but wayyyy safer. In
> fact, a drunken child with any C programming skills could probably fix
> this real quick. Why hasn't Legato done something about this? Maybe they
> have, and I'm just mistaken?
>
> How are people protecting themselves against this vulnerability?! What
> are we to do? I can't very well remove nsrexecd from the clients. It
> seems to me that the only way to fix this is to re-write or patch
> nsrexecd, but without the code we're screwed. It doesn't matter how up
> to speed you are on OS security. I can't think of any way to make the
> system safe against this exploit except not running nsrexecd -- only the
> most necessary piece in the NetWorker backup suite! If there was just
> some way to prevent people from connecting to the nsrexec daemon unless
> they were root. Hmmm... Is there any way this could be wrapped somehow
> or maybe run over an encrypted channel (ssh) where only root could open
> the session. Does anyone have any ideas. This is particularly bad for
> machines outside firewalls.
>
> George

--
Note: To sign off this list, send a "signoff networker" command via email
to listserv AT listmail.temple DOT edu or visit the list's Web site at
http://listmail.temple.edu/archives/networker.html where you can
also view and post messages to the list.
=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=
[More with this subject...]
<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: [Networker] Merits of cloning versus dual backups?, Joel Fisher
Next by Date:  [Networker] Exchange 5.5 mailbox baxckup, Raymond S
Previous by Thread:  [Networker] Security vulnerabilities in NetWorker -- what's being done?!!!, George Sinclair
Next by Thread:  [Networker] test, please ignore, Koblentz, Evan
Indexes:  [Date] [Thread] [Top] [All Lists]