发布时间 :1999-11-01 00:00:00
修订时间 :2016-10-17 22:05:16

[原文]runtar in the Amanda backup system used in various UNIX operating systems executes tar with root privileges, which allows a user to overwrite or read arbitrary files by providing the target files to runtar.

[CNNVD]多个供应商Amanda 'runtar'许可漏洞(CNNVD-199911-007)


- CVSS (基础分值)

CVSS分值: 7.2 [严重(HIGH)]
机密性影响: COMPLETE [完全的信息泄露导致所有系统文件暴露]
完整性影响: COMPLETE [系统完整性可被完全破坏]
可用性影响: COMPLETE [可能导致系统完全宕机]
攻击复杂度: LOW [漏洞利用没有访问限制 ]
攻击向量: LOCAL [漏洞利用需要具有物理访问权限或本地帐户]
身份认证: NONE [漏洞利用无需身份认证]

- CPE (受影响的平台与产品)


- OVAL (用于检测的技术细节)


- 官方数据库链接
(官方数据源) MITRE
(官方数据源) NVD
(官方数据源) CNNVD

- 其它链接及资源
(UNKNOWN)  BUGTRAQ  19991101 Amanda multiple vendor local root compromises

- 漏洞信息

多个供应商Amanda 'runtar'许可漏洞
高危 其他
1999-11-01 00:00:00 2005-10-20 00:00:00

- 公告与补丁

        Remove the executable bit on the runtar binary so it is only executable by its owner and group.

- 漏洞信息

AMANDA Backup System runtar Arbitrary File Manipulation

- 漏洞描述

Unknown or Incomplete

- 时间线

1999-11-01 Unknow
Unknow Unknow

- 解决方案

Unknown or Incomplete

- 相关参考

- 漏洞作者

Unknown or Incomplete

- 漏洞信息

Multiple Vendor Amanda 'runtar' permissions Vulnerabilities
Origin Validation Error 750
No Yes
1999-11-01 12:00:00 2009-07-11 12:56:00
This vulnerability was discovered and posted to the Bugtraq mailing list by Brock Tellier <> on Sat, 30 Oct 1999.

- 受影响的程序版本

FreeBSD FreeBSD 3.3

- 漏洞讨论

Amanda is a popular file backup system used by several free UNIX distributions. The version which ships with FreeBSD 3.3-RELEASE has been discovered to contain a permission vulnerability in the 'runtar' problem.

The 'runtar' program under Amanda is run SUID root and calls /usr/bin/tar. Due to the fact that 'runtar' is run as root and allows for user supplied data a malicious user can tar up files they should have no access to, or untar files over files which they should have no access to. For example, /etc/master.passwd could be overwritten with a new password file.

This problem also manifests itself in a second way. The problem here, is that /usr/bin/tar under FreeBSD has a buffer overflow in it. Normally this would not be a problem because FreeBSD ships tar as non-SUID root. However, runtar (Amanda's program which calls tar) is SUID root and passes user supplied arguments to the regular tar.

This allows malicious to send an overly long argument (with crafted shell code) to runtar and have it pass it to /usr/bin/tar which is now being executed as rot via runtar.

This vulnerability may very well be present in other UNIX distributions. This entry will be updated as more information becomes available.

The vulnerability is not as pressing under other platforms in hich Amanda runs since although runtar is SUID root is is normally only executable by group amanda is installed under (normally amanda, operator or bin). If someone has access to the amanda user id and group they already have access to the raw disks and can modify any files in the system.

- 漏洞利用

See Discussion.

- 解决方案

Remove the executable bit on the runtar binary so it is only executable by its owner and group.

- 相关参考