CVE-2022-37705

Vulnerability

A privilege escalation vulnerability exists in Amanda 3.5.1 within the runtar SUID binary, which is a wrapper for /usr/bin/tar. The program fails to properly validate arguments passed to tar; it expects arguments in the form --ARG VALUE but also accepts --ARG=VALUE as a single argument. This discrepancy allows an attacker to inject malicious options that bypass the intended argument filtering [2]. The affected component is the runtar binary, and the flawed logic is in runtar.c starting at line 162 [2].

Exploitation

An attacker must have local access as the backup user (or any user in the backup group). The exploit involves executing runtar with crafted arguments such as --checkpoint-action=exec=/bin/sh to spawn a root shell. The PoC provided in [2] demonstrates the exact command: ./runtar NOCONFIG tar --create --file=/dev/null --checkpoint=1 --directory=. --checkpoint-action=exec=/bin/sh /dev/null. This causes tar to execute the specified command with root privileges due to the SUID bit on runtar.

Impact

Successful exploitation grants the attacker full root privileges on the system. This leads to complete compromise, including arbitrary code execution, information disclosure (e.g., reading /etc/shadow), denial of service, and privilege escalation from the backup user to root [2]. The attacker can perform any action as the superuser.

Mitigation

The vulnerability is fixed in Amanda version 3.5.3, released on March 15, 2023 [1]. The fix is described in pull requests [3] and [4], which adjust the argument counting logic in runtar.c to correctly handle --ARG=VALUE syntax. Users should upgrade to Amanda 3.5.3 or later. No workaround is available for version 3.5.1; upgrading is the only mitigation.