[Suggested description] In Amanda 3.5.1, an information leak vulnerability was found in calcsize SUID binary. The attacker can abuse the vulnerability to know if a directory exist or not anywhere in the fs. The binary will use
opendir()as root directly without checking the path, letting the attacker provide an arbitrary path. The attacker needs to be thebackupuser to be able to run calcsize binary.
[Additional Information] The PoC is very simple you just have to run the binary like this: ./calcsize MAHER dir1 -X [directory] if the binary did not generate any output then the directory is available. If it's not available it will say that it is not available like this:
backup@maher:/home/maher/pwn/ubuntu/userland/suid/amanda/sec$ ./calcsize MAHER dir1 -X /etcc /etcc/.: No such file or directory
[Vulnerability Type] Insecure Permissions
[Vendor of Product] Amanda
[Affected Product Code Base] calcsize - 3.5.1
[Affected Component] Component: calcsize SUID binary. C file: calcsize.c Line: 435
if((d = opendir(dirname)) == NULL) {
[Attack Type] Local
[Impact Information Disclosure] true
[Attack Vectors] To exploit the vulnerability the attacker need to have access to the calcsize binary (one of the amanda packages being installed).
[Reference] http://www.amanda.org/
[Discoverer] Maher Azzouzi
MaherAzzouzi/CVE-2022-37703
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
main
Could not load branches
Nothing to show
Could not load tags
Nothing to show
{{ refName }}
default
Name already in use
A tag already exists with the provided branch name. Many Git commands accept both tag and branch names, so creating this branch may cause unexpected behavior. Are you sure you want to create this branch?
Code
-
Clone
Use Git or checkout with SVN using the web URL.
Work fast with our official CLI. Learn more about the CLI.
- Open with GitHub Desktop
- Download ZIP
Sign In Required
Please sign in to use Codespaces.
Launching GitHub Desktop
If nothing happens, download GitHub Desktop and try again.
Launching GitHub Desktop
If nothing happens, download GitHub Desktop and try again.
Launching Xcode
If nothing happens, download Xcode and try again.
Launching Visual Studio Code
Your codespace will open once ready.
There was a problem preparing your codespace, please try again.
Latest commit
Git stats
Files
Failed to load latest commit information.
Type
Name
Latest commit message
Commit time
About
Amanda Information Disclosure bug.
Resources
Stars
Watchers
Forks
Releases
No releases published
Packages 0
No packages published