CVE-1999-1517

Vulnerability

runtar in the Amanda backup system (versions shipped with FreeBSD 3.3-RELEASE and likely other UNIX platforms) is installed setuid root by default. It passes all arguments directly to /usr/bin/tar, which executes with root privileges. This allows any local user to use tar as if they were root, enabling arbitrary file read/write operations. The vulnerability was reported in October 1999 [1].

Exploitation

A local attacker needs no special privileges beyond a shell account. They can simply invoke runtar with arguments to archive any file (e.g., /etc/master.passwd) or extract a tar archive to any location (e.g., overwriting /etc/master.passwd). Additionally, a buffer overflow exists in tar itself, which an attacker could exploit to execute arbitrary code as root via carefully crafted command-line arguments passed through runtar [1].

Impact

Successful exploitation results in complete compromise of the system: the attacker can read any file (information disclosure) or overwrite any file (integrity violation) with root privileges. Using the buffer overflow, they can directly execute arbitrary commands as root, gaining full control of the host [1].

Mitigation

No official patch was documented in the available references. The primary mitigation is to remove the setuid bit from runtar or to restrict access to the Amanda package. System administrators should review whether Amanda is needed and ensure it is not installed setuid if not required. The vulnerability is not listed on CISA's Known Exploited Vulnerabilities (KEV) catalog [1].