CVE-2023-30577
Description
AMANDA's SUID binary runtar mishandles argument checking, allowing a local unprivileged backup user to execute arbitrary commands as root via crafted GNU tar options.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
AMANDA's SUID binary `runtar` mishandles argument checking, allowing a local unprivileged backup user to execute arbitrary commands as root via crafted GNU tar options.
Vulnerability
In AMANDA (Advanced Maryland Automatic Network Disk Archiver) versions before tag-community-3.5.4, the SUID binary runtar (located in client-src/runtar.c) improperly validates command-line arguments [2]. The binary can accept malicious GNU tar options when presented with a non-argument option starting with --exclude (such as --exclude-vcs). This allows an attacker to pass options like --use-compress-program that point to an attacker-controlled script, which runtar then executes with elevated privileges [2].
Exploitation
To exploit this vulnerability, an attacker must have access to the unprivileged backup user account [2]. The attacker crafts arguments to the SUID runtar binary, including a valid tar operation (e.g., tar --create) and a tar option that runtar incorrectly deems safe (e.g., --exclude-vcs) followed by --use-compress-program pointing to a script the attacker controls [2]. When runtar executes tar with these arguments, it runs the specified script with root privileges [2]. A publicly available proof of concept demonstrates this escalation [2].
Impact
The successful exploitation results in local privilege escalation [2]. The attacker, initially running as the unprivileged backup user, gains root-level command execution, allowing full compromise of the affected system [2].
Mitigation
The vulnerability is fixed in AMANDA release tag-community-3.5.4 [1][2]. Users should upgrade to this version or later. No workarounds are documented in the available references. For distributions like Fedora, package announcements may indicate the fixed version [3][4].
- Release tag-community-3.5.4 · zmanda/amanda
- Local privilege escalation
- lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/YYGJJARVLRBMNWSNXKZBXZNX3M53OVPA/
- lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/7OITHG7FBD7HQRX2XT75GSGWB3D6XSZU/
AI Insight generated on May 25, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
7- AMANDA/Advanced Maryland Automatic Network Disk Archiverdescription
- osv-coords5 versionspkg:rpm/opensuse/amanda&distro=openSUSE%20Leap%2015.4pkg:rpm/opensuse/amanda&distro=openSUSE%20Leap%2015.5pkg:rpm/opensuse/amanda&distro=openSUSE%20Tumbleweedpkg:rpm/suse/amanda&distro=SUSE%20Package%20Hub%2015%20SP4pkg:rpm/suse/amanda&distro=SUSE%20Package%20Hub%2015%20SP5
< 3.5.1-bp154.3.6.1+ 4 more
- (no CPE)range: < 3.5.1-bp154.3.6.1
- (no CPE)range: < 3.5.2-bp155.2.3.1
- (no CPE)range: < 3.5.4-1.1
- (no CPE)range: < 3.5.1-bp154.3.6.1
- (no CPE)range: < 3.5.2-bp155.2.3.1
Patches
0No patches discovered yet.
Vulnerability mechanics
Root cause
"Insufficient argument validation in runtar.c allows non-argument GNU tar options to be accepted, enabling injection of dangerous tar options."
Attack vector
An attacker who already has access to the unprivileged `backup` user can craft arguments to the SUID `runtar` binary. By supplying a non-argument option starting with `--exclude` (such as `--exclude-vcs`), the insufficient argument validation in `runtar` accepts the following option as valid. This allows the attacker to inject `--use-compress-program` pointing to a malicious script, which `runtar` then executes with root privileges [ref_id=1]. The attack is local, requiring only shell access as the `backup` user.
Affected code
The vulnerable code is in `client-src/runtar.c`. The SUID binary `runtar` accepts GNU tar options such as `--exclude-vcs` without proper argument checking, and a non-argument option starting with `--exclude` (e.g., `--exclude-vcs`) is treated as valid, allowing an attacker to pass dangerous options like `--use-compress-program` that execute arbitrary scripts with root privileges.
What the fix does
The patch (available in tag-community-3.5.4) fixes the argument checking logic in `client-src/runtar.c` so that options like `--exclude-vcs` are no longer incorrectly accepted as valid when they are not proper GNU tar arguments. By tightening the validation, the patch prevents an attacker from smuggling dangerous options such as `--use-compress-program` into the tar invocation, thereby blocking the privilege escalation path.
Preconditions
- authAttacker must have shell access as the unprivileged 'backup' user
- configThe SUID binary 'runtar' must be present and executable by the backup user
- networkAttack is performed locally on the same machine
Generated on Jun 14, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
5- lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/7OITHG7FBD7HQRX2XT75GSGWB3D6XSZU/mitrevendor-advisory
- lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/YYGJJARVLRBMNWSNXKZBXZNX3M53OVPA/mitrevendor-advisory
- lists.debian.org/debian-lts-announce/2023/12/msg00003.htmlmitremailing-list
- github.com/zmanda/amanda/releases/tag/tag-community-3.5.4mitre
- github.com/zmanda/amanda/security/advisories/GHSA-crrw-v393-h5q3mitre
News mentions
0No linked articles in our index yet.