Multiple Vendor Amanda 'runtar' permissions Vulnerabilities
Amanda is a popular file backup system used by several free UNIX distributions. The version which ships with FreeBSD 3.3-RELEASE has been discovered to contain a permission vulnerability in the 'runtar' problem.
The 'runtar' program under Amanda is run SUID root and calls /usr/bin/tar. Due to the fact that 'runtar' is run as root and allows for user supplied data a malicious user can tar up files they should have no access to, or untar files over files which they should have no access to. For example, /etc/master.passwd could be overwritten with a new password file.
This problem also manifests itself in a second way. The problem here, is that /usr/bin/tar under FreeBSD has a buffer overflow in it. Normally this would not be a problem because FreeBSD ships tar as non-SUID root. However, runtar (Amanda's program which calls tar) is SUID root and passes user supplied arguments to the regular tar.
This allows malicious to send an overly long argument (with crafted shell code) to runtar and have it pass it to /usr/bin/tar which is now being executed as rot via runtar.
This vulnerability may very well be present in other UNIX distributions. This entry will be updated as more information becomes available.
The vulnerability is not as pressing under other platforms in hich Amanda runs since although runtar is SUID root is is normally only executable by group amanda is installed under (normally amanda, operator or bin). If someone has access to the amanda user id and group they already have access to the raw disks and can modify any files in the system.