CVE-2016-10729
Description
Amanda 3.3.1's runtar setuid binary allows command injection via extra arguments after --create, letting a backup user gain root.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Amanda 3.3.1's runtar setuid binary allows command injection via extra arguments after --create, letting a backup user gain root.
Vulnerability
In Amanda 3.3.1, the runtar binary is installed setuid root and owned by the backup group. It fails to sanitize arguments supplied after the --create option, allowing command injection. A user in the backup group can execute arbitrary commands as root by passing a crafted --rsh-command argument [1].
Exploitation
An attacker must have a shell account on the client machine and be a member of the backup group (gid 34). The attacker compiles a payload, such as a program that adds a root user via system("echo r00t::0:0::/:/bin/sh >> /etc/passwd"), then invokes the runtar binary with arguments like NOCONFIG tar --create --rsh-command=/path/to/exploit -vf localhost:/tmp/lol /etc/passwd. The runtar binary executes the payload with root privileges, allowing immediate root access [1].
Impact
Successful exploitation gives the attacker full root privileges on the affected host, allowing them to read, modify, or delete any file, and potentially pivot to other systems from the privileged position. The integrity of the backup client is completely compromised [1].
Mitigation
Amanda 3.3.1 is affected; no official patch or fixed version has been disclosed in the available references [1]. Administrators should limit membership in the backup group to only trusted users and, if possible, remove the setuid bit from runtar or restrict its execution pending an update. The vulnerability is not listed on the CISA Known Exploited Vulnerabilities (KEV) catalog.
AI Insight generated on May 26, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
3- osv-coords2 versionspkg:rpm/suse/amanda&distro=SUSE%20Linux%20Enterprise%20Server%2011%20SP4pkg:rpm/suse/amanda&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2011%20SP4
< 2.5.2.1-188.5.1+ 1 more
- (no CPE)range: < 2.5.2.1-188.5.1
- (no CPE)range: < 2.5.2.1-188.5.1
Patches
0No patches discovered yet.
Vulnerability mechanics
Root cause
"The setuid root binary "runtar" does not validate or restrict additional arguments supplied after the --create flag, allowing command injection."
Attack vector
An attacker who already possesses backup privileges (membership in the "backup" group) can invoke the setuid root binary `/usr/lib/amanda/runtar` with crafted arguments. By supplying `--rsh-command=/tmp/x` after `--create`, the attacker forces tar to execute an arbitrary binary as root. The exploit shown in [ref_id=1] uses this to append a new root user to `/etc/passwd`, achieving full privilege escalation.
Affected code
The vulnerable binary is `/usr/lib/amanda/runtar`, a setuid root executable. The advisory [ref_id=1] states that it "does not check for additional arguments supplied after --create". No source code or patch is provided in the bundle, so the exact vulnerable function is not identified.
What the fix does
No patch is included in the bundle. The advisory [ref_id=1] identifies the root cause as the "runtar" setuid binary failing to check for additional arguments supplied after `--create`. A proper fix would sanitize or restrict the arguments passed to tar, preventing users from injecting options like `--rsh-command` that redirect execution to an attacker-controlled binary.
Preconditions
- authAttacker must have a shell account on the client machine and be a member of the 'backup' group (or otherwise have permission to execute the setuid 'runtar' binary).
- configThe 'runtar' binary must be installed setuid root (default permissions: -rwsr-xr-- root backup).
- inputAttacker must be able to compile or place an executable (e.g., /tmp/x) on the filesystem.
Reproduction
1. Compile a helper binary that escalates privileges (e.g., adds a root user to /etc/passwd). 2. Run: `/usr/lib/amanda/runtar NOCONFIG tar --create --rsh-command=/tmp/x -vf localhost:/tmp/lol /etc/passwd`. 3. The injected `--rsh-command` argument causes tar to execute `/tmp/x` as root. 4. Switch to the newly created root user. Full reproduction steps and source code are provided in [ref_id=1].
Generated on May 26, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
1- www.exploit-db.com/exploits/39217/mitreexploitx_refsource_EXPLOIT-DB
News mentions
0No linked articles in our index yet.