An issue was discovered in Amanda 3.3.1. A user with backup privileges can trivially compromise a client installation. The "runtar" setuid root binary does not check for additional arguments supplied after --create, allowing users to manipulate commands and perform command injection as root.
Created amanda tracking bugs for this issue: Affects: fedora-all [bug 1647086]
This is odd. Not understanding the procedure here, could someone tell me why the CVE is from 2016? In Fedora: ἐπιθυμία:~❯ ls -l /usr/lib64/amanda/runtar -rwsr-x---. 1 root disk 15776 Aug 20 07:36 /usr/lib64/amanda/runtar* The permissions don't appear to be different on CentOS 7. So any potential exploit kicks in only if you can get into group disk in order to run the executable. In addition, setting up an account that is in group disk and attempting to run the runtar command to try and get something improperly executed: runtar: error [runtar invalid option: --rsh-command=/tmp/foo] runtar: error [runtar invalid option: --rsh-command] Looking at the source for that executable (runtar.c) from Amanda 3.5.1 in Fedora: for (i = 1; argv[i]; i++) { if (good_option <= 0) { if (g_str_has_prefix(argv[i],"--rsh-command") || g_str_has_prefix(argv[i],"--to-command") || g_str_has_prefix(argv[i],"--info-script") || g_str_has_prefix(argv[i],"--new-volume-script") || g_str_has_prefix(argv[i],"--rmt-command") || g_str_has_prefix(argv[i],"--use-compress-program")) { /* Filter potential malicious option */ good_option = 0; } else if (g_str_has_prefix(argv[i],"--create") || g_str_has_prefix(argv[i],"--totals") || g_str_has_prefix(argv[i],"--dereference") || g_str_has_prefix(argv[i],"--no-recursion") || g_str_has_prefix(argv[i],"--one-file-system") || g_str_has_prefix(argv[i],"--incremental") || g_str_has_prefix(argv[i],"--atime-preserve") || g_str_has_prefix(argv[i],"--sparse") || g_str_has_prefix(argv[i],"--ignore-failed-read") || g_str_has_prefix(argv[i],"--numeric-owner") || g_str_has_prefix(argv[i],"--verbose")) { /* Accept theses options */ good_option++; } else if (g_str_has_prefix(argv[i],"--blocking-factor") || g_str_has_prefix(argv[i],"--file") || g_str_has_prefix(argv[i],"--directory") || g_str_has_prefix(argv[i],"--exclude") || g_str_has_prefix(argv[i],"--transform") || g_str_has_prefix(argv[i],"--listed-incremental") || g_str_has_prefix(argv[i],"--newer") || g_str_has_prefix(argv[i],"--exclude-from") || g_str_has_prefix(argv[i],"--files-from")) { /* Accept theses options with the following argument */ good_option += 2; } else if (argv[i][0] != '-') { good_option++; } } So... Amanda 3.5.1 (which is the current version in all live Fedora releases) is not vulnerable. Amanda 3.3.8 in CentOS 7 does accept that option and might be vulnerable though I tried and could not reproduce the issue.
There's a public exploit for this issue published here: https://www.exploit-db.com/exploits/39217/ The issue is exploited by running setuid runtar program (that is part of Amanda) with --rsh-command option that is passed to the tar command executed by runtar. This causes tar to execute attacker-controlled program with root privileges. The problem was fixed in Amanda 3.3.9 by checking all command line arguments before passing them to tar, and only allowing certain options: https://github.com/zmanda/amanda/blob/tags/community_3_3_9/NEWS * amgtar/amstar/ambsdtar/runtar - Disable arguments that can fork program. Patch for the runtar: https://github.com/zmanda/amanda/commit/2ba9a5fb84ba2faaeb95695a03bd7f26cbdfedb8 This patch contains both blacklist of known bad options, as well as whitelist of known good options. The blacklist is actually redundant, as only whitelisted options are accepted. Patch for ambsdtar, amgtar, and amstar: https://github.com/zmanda/amanda/commit/29bae2e271093cd8d06ea98f73a474c685c5a314 This patch only adds blacklist of known bad options.
This issue affects the versions of amanda as shipped with Red Hat Enteprise Linux 5, 6, and 7. However, the runtar command can only be run by users in the disk group. Member of that group should be considered root-equivalent and they have write access to the disk partitions and hence there's no trust boundary crossed when this flaw is exploited. See bug 1647090 comment 4 for further details.
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2016-10729