CVE-2016-10730
Description
Amanda 3.3.1 allows users with backup privileges to gain root access via the amstar script's --star-path argument.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Amanda 3.3.1 allows users with backup privileges to gain root access via the amstar script's --star-path argument.
Vulnerability
CVE-2016-10730 affects Amanda 3.3.1. The amstar script, part of the Amanda Application API, runs binaries with root privileges when processing the --star-path command-line argument. The binary is setuid root (-rwsr-xr--) and owned by the backup group, meaning any user in the backup group can execute it. The script does not validate the path supplied to --star-path, allowing an attacker to specify an arbitrary executable that will be run as root [1].
Exploitation
A user with backup privileges (belonging to the backup group) can exploit this by providing a malicious script via the --star-path argument. No additional authentication or network access is needed. The example in the reference shows a user with uid 34 (backup) executing /usr/lib/amanda/application/amstar restore --star-path=/tmp/runme.sh, which immediately spawns a root shell [1].
Impact
Successful exploitation gives the attacker a root shell on the client machine. The attacker gains full control over the system (confidentiality, integrity, and availability compromise) at the highest privilege level. The impact is complete compromise of the affected Amanda client installation.
Mitigation
Amanda 3.3.1 is the affected version. The vendor has not released a patch; the vulnerability remains unaddressed. Users should restrict membership in the backup group to trusted personnel only. As a workaround, the setuid bit on amstar can be removed (chmod u-s /usr/lib/amanda/application/amstar), which will prevent privilege escalation but may break functionality. No KEV listing is currently available.
AI Insight generated on May 26, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2Patches
0No patches discovered yet.
Vulnerability mechanics
Root cause
"The amstar script runs binaries with root privileges when parsing the --star-path command-line argument without validating that the supplied path is a trusted binary."
Attack vector
An attacker who already possesses backup privileges (membership in the backup group) can execute the setuid-root amstar binary with the --star-path argument pointing to an arbitrary executable. Because amstar runs the specified binary as root, the attacker gains a root shell. The exploit requires no special network access; it is a local privilege-escalation attack from the backup user to root [ref_id=1].
Affected code
The vulnerable binary is /usr/lib/amanda/application/amstar, installed setuid-root (mode rwsr-xr--, owned by root, group backup) [ref_id=1]. The flaw lies in how amstar processes the --star-path command-line argument: it runs the user-supplied path with root privileges instead of validating it against a whitelist of trusted binaries.
What the fix does
No patch is included in the bundle. The advisory states that amstar is an Amanda Application API script that "should not be run by users directly" [ref_id=1]. The implied remediation is to remove the setuid-root bit from /usr/lib/amanda/application/amstar or to restrict execution so that only trusted system processes invoke it, thereby preventing unprivileged users from supplying an arbitrary --star-path.
Preconditions
- authAttacker must have backup group membership (gid=34 backup) or otherwise possess the privileges needed to execute the setuid-root amstar binary.
- inputAttacker must be able to supply an arbitrary --star-path argument pointing to a malicious executable.
Reproduction
1. As a user in the backup group, create a shell script (e.g., /tmp/runme.sh containing `#!/bin/sh` then `/bin/sh`). 2. Run `/usr/lib/amanda/application/amstar restore --star-path=/tmp/runme.sh`. 3. Observe that a root shell is obtained [ref_id=1].
Generated on May 26, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
1- www.exploit-db.com/exploits/39244/mitreexploitx_refsource_EXPLOIT-DB
News mentions
0No linked articles in our index yet.