Bug 2167744 (CVE-2022-37705) - CVE-2022-37705 amanda: runtar: crafted arguments can lead to local privilege escalation
Summary: CVE-2022-37705 amanda: runtar: crafted arguments can lead to local privilege ...
Keywords:
Status: NEW
Alias: CVE-2022-37705
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
low
low
Target Milestone: ---
Assignee: Nobody
QA Contact:
URL:
Whiteboard:
Depends On: 2168797 2168798 2168799 2168800 2168801 2168802 2168803 2168804
Blocks: 2167399
TreeView+ depends on / blocked
 
Reported: 2023-02-07 12:42 UTC by TEJ RATHI
Modified: 2023-07-07 08:30 UTC (History)
2 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
A flaw was found in Amanda. The `runtar` SUID binary executes /usr/bin/tar as root without properly validating its arguments, possibly leading to escalation of privileges from the regular user "amandabackup" to root.
Clone Of:
Environment:
Last Closed:
Embargoed:


Attachments (Terms of Use)

Description TEJ RATHI 2023-02-07 12:42:37 UTC
A privilege escalation flaw was found on Amanda 3.5.1 that can take backup user to root privileges. The vulnerable component is the runtar SUID that is just a wrapper to run /usr/bin/tar with specific arguments that are controllable by the attacker. The program does not check correctly the args passed to tar binary (it assumes that all args should be like this --ARG VALUE but we can provide this --ARG=VALUE as one argument).

https://github.com/MaherAzzouzi/CVE-2022-37705
https://github.com/zmanda/amanda/issues/192
https://marc.info/?l=amanda-hackers&m=167437716918603&w=2

Comment 1 Sandipan Roy 2023-02-10 04:46:14 UTC
Created amanda tracking bugs for this issue:

Affects: fedora-all [bug 2168797]

Comment 3 Jason Tibbitts 2023-02-10 04:59:13 UTC
/usr/lib64/amanda/runtar is not executable by users, and so Fedora is not vulnerable to this unless for some reason the user is in group disk.  In which case they can just write to all of the disks in the system directly.

Comment 4 Pavel Cahyna 2023-02-10 13:01:44 UTC
(In reply to Jason Tibbitts from comment #3)
> /usr/lib64/amanda/runtar is not executable by users, and so Fedora is not
> vulnerable to this unless for some reason the user is in group disk.  In
> which case they can just write to all of the disks in the system directly.

This is a pertinent observation, and applies to RHEL as well. OTOH, obtaining a shell makes an exploit much easier. Also, maybe one could somehow trick amandad to pass wrong arguments to runtar itself, which would make the bug exploitable even without gaining access to the disk group. (runtar is executed from sendsize and sendbackup.)

Comment 7 Mauro Matteo Cascella 2023-02-27 18:10:35 UTC
In reply to comment #3:
> /usr/lib64/amanda/runtar is not executable by users, and so Fedora is not
> vulnerable to this unless for some reason the user is in group disk.  In
> which case they can just write to all of the disks in the system directly.

To back this up:

el8 ~ $ dnf install amanda-client
el8 ~ $ ls -l /usr/lib64/amanda/runtar
-rwsr-x---. 1 root disk 17208 Aug 12  2018 /usr/lib64/amanda/runtar


Note You need to log in before you can comment on or make changes to this bug.