search

zmanda / amanda

Amanda Network Backup
https://www.zmanda.com/downloads/
Other
222 stars 107 forks source link

Fixes Open Vulnerability CVE-2022-37705 #194

Closed prajwaltr93 closed 1 year ago

prajwaltr93 commented 1 year ago

Closes one of vulnerabilities discussed on : #192, CVE-2022-37705.

Context:

with careful selection of arguments, runtar binary can be tricked into invoking shell and since it as SUID bit set and owner is root, it spawns a root shell local low privileged user reference

Code Context:

argument check logic for arguments of type --foo bar is being misused to skip parsing malicious arguments.

runtar keeps good_option variable to keep track of good and bad arguments which are in turn passed to the tar command in the exact order specified to runtar.

for arguments of type --foo bar it increments good_option twice ( += 2) accounting for bar to be the next argument and skips checking for it, but --foo bar can also be specified as --foo=bar where value bar is already specified for argument --foo so with good_option still have count >=0 causing immediate argument after this to not checked.

Fix:

For arguemnts of type --foo we only increment count by 1, since there is already a check to account for values to arguments here

        } else if (argv[i][0] != '-') {
        good_option++;
        }
amandaTrusted commented 1 year ago

do a signed commit