Bug 1647084 (CVE-2016-10729) - CVE-2016-10729 amanda: Privilege escalation in runtar via --rsh-command option
Summary: CVE-2016-10729 amanda: Privilege escalation in runtar via --rsh-command option
Keywords:
Status: CLOSED WONTFIX
Alias: CVE-2016-10729
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
low
low
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 1647085 1647086
Blocks: 1647095
TreeView+ depends on / blocked
 
Reported: 2018-11-06 16:23 UTC by Laura Pardo
Modified: 2020-04-22 04:32 UTC (History)
6 users (show)

Fixed In Version: amanda 3.3.9
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2020-04-22 04:32:10 UTC


Attachments (Terms of Use)

Description Laura Pardo 2018-11-06 16:23:28 UTC
An issue was discovered in Amanda 3.3.1. A user with backup privileges can trivially compromise a client installation. The "runtar" setuid root binary does not check for additional arguments supplied after --create, allowing users to manipulate commands and perform command injection as root.

Comment 1 Laura Pardo 2018-11-06 16:24:00 UTC
Created amanda tracking bugs for this issue:

Affects: fedora-all [bug 1647086]

Comment 3 Jason Tibbitts 2018-11-06 16:59:52 UTC
This is odd.  Not understanding the procedure here, could someone tell me why the CVE is from 2016?

In Fedora:

ἐπιθυμία:~❯ ls -l /usr/lib64/amanda/runtar
-rwsr-x---. 1 root disk 15776 Aug 20 07:36 /usr/lib64/amanda/runtar*


The permissions don't appear to be different on CentOS 7.

So any potential exploit kicks in only if you can get into group disk in order to run the executable.

In addition, setting up an account that is in group disk and attempting to run the runtar command to try and get something improperly executed:

runtar: error [runtar invalid option: --rsh-command=/tmp/foo]

runtar: error [runtar invalid option: --rsh-command]

Looking at the source for that executable (runtar.c) from Amanda 3.5.1 in Fedora:

    for (i = 1; argv[i]; i++) {
        if (good_option <= 0) {
            if (g_str_has_prefix(argv[i],"--rsh-command") ||
                g_str_has_prefix(argv[i],"--to-command") ||
                g_str_has_prefix(argv[i],"--info-script") ||
                g_str_has_prefix(argv[i],"--new-volume-script") ||
                g_str_has_prefix(argv[i],"--rmt-command") ||
                g_str_has_prefix(argv[i],"--use-compress-program")) {
                /* Filter potential malicious option */
                good_option = 0;
            } else if (g_str_has_prefix(argv[i],"--create") ||
                g_str_has_prefix(argv[i],"--totals") ||
                g_str_has_prefix(argv[i],"--dereference") ||
                g_str_has_prefix(argv[i],"--no-recursion") ||
                g_str_has_prefix(argv[i],"--one-file-system") ||
                g_str_has_prefix(argv[i],"--incremental") ||
                g_str_has_prefix(argv[i],"--atime-preserve") ||
                g_str_has_prefix(argv[i],"--sparse") ||
                g_str_has_prefix(argv[i],"--ignore-failed-read") ||
                g_str_has_prefix(argv[i],"--numeric-owner") ||
                g_str_has_prefix(argv[i],"--verbose")) {
                /* Accept theses options */
                good_option++;
            } else if (g_str_has_prefix(argv[i],"--blocking-factor") ||
                g_str_has_prefix(argv[i],"--file") ||
                g_str_has_prefix(argv[i],"--directory") ||
                g_str_has_prefix(argv[i],"--exclude") ||
                g_str_has_prefix(argv[i],"--transform") ||
                g_str_has_prefix(argv[i],"--listed-incremental") ||
                g_str_has_prefix(argv[i],"--newer") ||
                g_str_has_prefix(argv[i],"--exclude-from") ||
                g_str_has_prefix(argv[i],"--files-from")) {
                /* Accept theses options with the following argument */
                good_option += 2;
            } else if (argv[i][0] != '-') {
                good_option++;
            }
        }

So... Amanda 3.5.1 (which is the current version in all live Fedora releases) is not vulnerable.

Amanda 3.3.8 in CentOS 7 does accept that option and might be vulnerable though I tried and could not reproduce the issue.

Comment 4 Tomas Hoger 2018-11-07 21:02:03 UTC
There's a public exploit for this issue published here:

https://www.exploit-db.com/exploits/39217/

The issue is exploited by running setuid runtar program (that is part of Amanda) with --rsh-command option that is passed to the tar command executed by runtar.  This causes tar to execute attacker-controlled program with root privileges.

The problem was fixed in Amanda 3.3.9 by checking all command line arguments before passing them to tar, and only allowing certain options:

https://github.com/zmanda/amanda/blob/tags/community_3_3_9/NEWS

  * amgtar/amstar/ambsdtar/runtar
    - Disable arguments that can fork program.

Patch for the runtar:

https://github.com/zmanda/amanda/commit/2ba9a5fb84ba2faaeb95695a03bd7f26cbdfedb8

This patch contains both blacklist of known bad options, as well as whitelist of known good options.  The blacklist is actually redundant, as only whitelisted options are accepted.

Patch for ambsdtar, amgtar, and amstar:

https://github.com/zmanda/amanda/commit/29bae2e271093cd8d06ea98f73a474c685c5a314

This patch only adds blacklist of known bad options.

Comment 5 Tomas Hoger 2018-11-07 21:08:53 UTC
This issue affects the versions of amanda as shipped with Red Hat Enteprise Linux 5, 6, and 7.

However, the runtar command can only be run by users in the disk group.  Member of that group should be considered root-equivalent and they have write access to the disk partitions and hence there's no trust boundary crossed when this flaw is exploited.  See bug 1647090 comment 4 for further details.

Comment 8 Product Security DevOps Team 2020-04-22 04:32:10 UTC
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2016-10729


Note You need to log in before you can comment on or make changes to this bug.