Re: Amanda multiple vendor local root compromises

[vectro () PIPELINE COM (Ian Turner)]

On Sat, 30 Oct 1999, Tellier, Brock wrote:

> Greetings,
>
> OVERVIEW:
> The Amanda backup package has a several vulnerabilities which
> will allow any user to gain root privs.
>
> BACKGROUND:
> My tests were done ONLY on FreeBSD 3.3-RELEASE, though this is almost
> certainly not the only vulnerable OS.  A search for "amanda-2 and not
> freebsd" on altavista yields preliminary, unconfirmed data that some of
> the vulnerable OS's (based on packages that are included on install
> CD's, anyone can install Amanda to make themselves vulnerable) may be:
> RedHat ?.?, TurboLinux, PowerTools CD, SuSE 6.2 Confirmation on which
> OS's/tar's are vulnerable would be useful.
>
> DETAILS:
>
> Amanda's "runtar" program, suid root by default on FreeBSD 3.3, calls
> /usr/bin/tar and passes all args given to runtar to this program. Tar is
>
> thus run with root permissions and is vulnerable to all of the same
> attacks on suid programs that it would have if it were suid itself.
>
> Vuln #1 - run tar as root
>
> Since tar is run with root permissions, you are free to tar up any file
> you wish, including /etc/master.passwd.  You may also untar any file you
>
> wish, to any location on the system, including /etc/master.passwd.  This
>
> does not require any exploit kung-fu and may be done by supplying args
> to tar/runtar as if you were root.

This is almost true. This exploit can only be performed as the user amanda
is installed under (generally amanda, operator, or bin), because by
default the file has the following permissions:
$ ls -l /usr/local/libexec/runtar
-rwsr-x---   1 root     amanda      46568 Oct 26 00:21 /usr/local/libexec/runtar

> Vuln #1.1 - tar contains a buffer overflow
>
> Obtaining root via buffer overflow here is redundant, of course, but it
> illustrates the point that even if tar's capabilities weren't able to
> gain root
> privs, the buffer overflow would still allow you to do so. An overflow
> exists *IN TAR* which will allow any user to execute commands as root.
> Note that an overflow in tar isn't an immediate security flaw
> since it is never suid/sgid, but it goes to show that one should do
> security audits of all the programs one calls with user input. By
> passing
> a long string to runtar in the form "/usr/local/libexec/amanda/runtar
> cvf
> $400bytes:bah" we can execute our commands.  FreeBSD exploit attached
> below.

Same as above, this can only be done by the amanda usaer.

> Vuln #2 - symlink problem
>
> Not quite as serious, but a concern nonetheless.  When the amandad
> daemon
> is run, a bin-owned file called "amandad.debug" in /tmp.  By creating
> a symlink from /tmp/amandad.debug to any other file, we will force
> amandad
> to clobber the contents with that of amandad's debug info.  Note that
> amandad is not suid/sgid, but it is often run with root perms at startup
>
> or via scripts.
>
> WHO IS VULNERABLE:
> Anyone running a suid version of runtar should be suspicious.  I've not
> tested any other O.S.'s except FreeBSD 3.3, which includes amanda 2.3.0
> and 2.4.1 as "additional packages" on the install CD and tar-1.11.2.
>
>
> EXPLOIT:
(snip)

If your amanda is properly installed, then it is as a user amanda, bin, or
operator, none of which should be accessible from a regular user. If this
account is compromised, then security is irrelevant because amanda need to
be able to read the raw disk files (to do backups) and thus would be able
to get /etc/shadow (or the local equivalent) without much work.

Ian Turner