[Secure-testing-team] Bug#542218: backuppc: Security hole when using rsync and multiple users

David Ambrose-Griffith d.e.ambrose-griffith at durham.ac.uk
Tue Aug 18 14:03:09 UTC 2009 

Package: backuppc
Version: 3.1.0-4
Severity: critical
Tags: security
Justification: root security hole


When using an SSH key and Rsync with BackupPC on a system with multiple users, Users (as opposed to admins) have the ability to change the ClientNameAlias on machines they are listed as owning.
As BackupPC user has one ssh key, which can be in the authorized keys of many machines (often as root), this allows a user to backup from and restore to any machines that key gives access to, by changing the ClientNameAlias to the target machine and initiating a backup.

I've just tested this, and as an unpriviledged user was able to change backing up /scratch on my desktop to /etc on a server and then read /etc/shadow from the server.
Whilst I haven't tested this, I see no reason I couldn't restore to the server as well, thus changing arbitrary files as root (and gaining root access).




-- System Information:
Debian Release: 5.0.1
  APT prefers stable
  APT policy: (500, 'stable')
Architecture: amd64 (x86_64)

Kernel: Linux 2.6.26-1-amd64 (SMP w/2 CPU cores)
Locale: LANG=en_GB.UTF-8, LC_CTYPE=en_GB.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/bash

Versions of packages backuppc depends on:
ii  adduser                  3.110           add and remove users and groups
ii  apache2                  2.2.9-10+lenny2 Apache HTTP Server metapackage
ii  apache2-mpm-worker [http 2.2.9-10+lenny2 Apache HTTP Server - high speed th
ii  bzip2                    1.0.5-1         high-quality block-sorting file co
ii  debconf [debconf-2.0]    1.5.24          Debian configuration management sy
ii  dpkg                     1.14.25         Debian package management system
ii  libarchive-zip-perl      1.18-1          Module for manipulation of ZIP arc
ii  libcompress-zlib-perl    2.012-1         Perl module for creation and manip
ii  perl [libdigest-md5-perl 5.10.0-19       Larry Wall's Practical Extraction 
ii  perl-suid                5.10.0-19       Runs setuid Perl scripts
ii  samba-common             2:3.2.5-4lenny2 Samba common files used by both th
ii  smbclient                2:3.2.5-4lenny2 a LanManager-like simple client fo
ii  tar                      1.20-1          GNU version of the tar archiving u

Versions of packages backuppc recommends:
ii  libfile-rsyncp-perl          0.68-1.1+b1 A perl based implementation of an 
ii  openssh-client [ssh-client]  1:5.1p1-5   secure shell client, an rlogin/rsh
ii  postfix [mail-transport-agen 2.5.5-1.1   High-performance mail transport ag
ii  rrdtool                      1.3.1-4     Time-series data storage and displ
ii  rsync                        3.0.3-2     fast remote file copy program (lik

Versions of packages backuppc suggests:
pn  par2                          <none>     (no description available)
ii  w3m [www-browser]             0.5.2-2+b1 WWW browsable pager with excellent

-- debconf information excluded

More information about the Secure-testing-team mailing list