[Suggested description] In Amanda 3.5.1, an information leak vulnerability was found in calcsize SUID binary. The attacker can abuse the vulnerability to know if a directory exist or not anywhere in the fs. The binary will use
opendir()
as root directly without checking the path, letting the attacker provide an arbitrary path. The attacker needs to be thebackup
user to be able to run calcsize binary.
[Additional Information] The PoC is very simple you just have to run the binary like this: ./calcsize MAHER dir1 -X [directory] if the binary did not generate any output then the directory is available. If it's not available it will say that it is not available like this:
backup@maher:/home/maher/pwn/ubuntu/userland/suid/amanda/sec$ ./calcsize MAHER dir1 -X /etcc /etcc/.: No such file or directory
[Vulnerability Type] Insecure Permissions
[Vendor of Product] Amanda
[Affected Product Code Base] calcsize - 3.5.1
[Affected Component] Component: calcsize SUID binary. C file: calcsize.c Line: 435
if((d = opendir(dirname)) == NULL) {
[Attack Type] Local
[Impact Information Disclosure] true
[Attack Vectors] To exploit the vulnerability the attacker need to have access to the calcsize binary (one of the amanda packages being installed).
[Reference] http://www.amanda.org/
[Discoverer] Maher Azzouzi
-
Notifications
You must be signed in to change notification settings - Fork 1
MaherAzzouzi/CVE-2022-37703
Folders and files
Name | Name | Last commit message | Last commit date | |
---|---|---|---|---|
Repository files navigation
About
Amanda Information Disclosure bug.
Resources
Stars
Watchers
Forks
Releases
No releases published
Packages 0
No packages published