Bug 2167744 (CVE-2022-37705)

Summary: CVE-2022-37705 amanda: runtar: crafted arguments can lead to local privilege escalation
Product: [Other] Security Response Reporter: TEJ RATHI <trathi>
Component: vulnerabilityAssignee: Nobody <nobody>
Status: NEW --- QA Contact:
Severity: low Docs Contact:
Priority: low    
Version: unspecifiedCC: jridky, pcahyna
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
A flaw was found in Amanda. The `runtar` SUID binary executes /usr/bin/tar as root without properly validating its arguments, possibly leading to escalation of privileges from the regular user "amandabackup" to root.
 Story Points: ---
Clone Of: Environment:
Last Closed: Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 2168797, 2168798, 2168799, 2168800, 2168801, 2168802, 2168803, 2168804    
Bug Blocks: 2167399    

Description TEJ RATHI 2023-02-07 12:42:37 UTC 
A privilege escalation flaw was found on Amanda 3.5.1 that can take backup user to root privileges. The vulnerable component is the runtar SUID that is just a wrapper to run /usr/bin/tar with specific arguments that are controllable by the attacker. The program does not check correctly the args passed to tar binary (it assumes that all args should be like this --ARG VALUE but we can provide this --ARG=VALUE as one argument).

https://github.com/MaherAzzouzi/CVE-2022-37705
https://github.com/zmanda/amanda/issues/192
https://marc.info/?l=amanda-hackers&m=167437716918603&w=2
Comment 1 Sandipan Roy 2023-02-10 04:46:14 UTC 
Created amanda tracking bugs for this issue:

Affects: fedora-all [bug 2168797]
Comment 3 Jason Tibbitts 2023-02-10 04:59:13 UTC 
/usr/lib64/amanda/runtar is not executable by users, and so Fedora is not vulnerable to this unless for some reason the user is in group disk.  In which case they can just write to all of the disks in the system directly.
Comment 4 Pavel Cahyna 2023-02-10 13:01:44 UTC 
(In reply to Jason Tibbitts from comment #3)
> /usr/lib64/amanda/runtar is not executable by users, and so Fedora is not
> vulnerable to this unless for some reason the user is in group disk.  In
> which case they can just write to all of the disks in the system directly.

This is a pertinent observation, and applies to RHEL as well. OTOH, obtaining a shell makes an exploit much easier. Also, maybe one could somehow trick amandad to pass wrong arguments to runtar itself, which would make the bug exploitable even without gaining access to the disk group. (runtar is executed from sendsize and sendbackup.)
Comment 5 Mauro Matteo Cascella 2023-02-27 16:21:42 UTC 
Upstream PR & commit:
https://github.com/zmanda/amanda/pull/196
https://github.com/zmanda/amanda/commit/497410c7555376795f324e5bd2cbed7742219099
Comment 7 Mauro Matteo Cascella 2023-02-27 18:10:35 UTC 
In reply to comment #3:
> /usr/lib64/amanda/runtar is not executable by users, and so Fedora is not
> vulnerable to this unless for some reason the user is in group disk.  In
> which case they can just write to all of the disks in the system directly.

To back this up:

el8 ~ $ dnf install amanda-client
el8 ~ $ ls -l /usr/lib64/amanda/runtar
-rwsr-x---. 1 root disk 17208 Aug 12  2018 /usr/lib64/amanda/runtar