Re: CVE Request: rssh command-line parsing vulnerability

[Kurt Seifried <kseifried () redhat com>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 08/10/2012 02:53 PM, Russ Allbery wrote:
> Hello all,
>
> I'm the Debian maintainer of the rssh package, which has a
> security vulnerability in its command-line parsing disclosed some
> time back on the rssh mailing list and on BUGTRAQ.  I'm preparing a
> security update for Debian and would like a CVE for tracking
> purposes.
>
> The security advisory from the upstream maintainer is at: 
> http://sourceforge.net/mailarchive/message.php?msg_id=29235647
>
> Here are the relevant contents:
>
> | rssh is a shell for restricting SSH access to a machine to only
> scp, | sftp, or a small set of similar applications. | |
> http://www.pizzashack.org/rssh/ | | Henrik Erkkonen has discovered
> that, through clever manipulation of | environment variables on the
> ssh command line, it is possible to | circumvent rssh.  As far as I
> can tell, there is no way to effect a | root compromise, except of
> course if the root account is the one | you're attempting to
> protect with rssh... | [...] | | Note in particular that ensuring
> that the AcceptEnv sshd configuration | option need not be turned
> on for this exploit to work.
>
> I think this would fit the definition of "local privilege
> escalation" in that it allows users with a restricted shell to run
> commands they shouldn't be able to run.
>
> The last two messages on the thread linked above contain a patch.
> (Be aware that they've been mangled by the Sourceforge mailing list
> archive, so you have to download them to see them.)  There has been
> no subsequent formal release, just the patch in that thread.

Not sure why I didn't get this a CVE earlier, please use CVE-2012-3478
for this issue. Red Hat reference:
https://bugzilla.redhat.com/show_bug.cgi?id=820414



- -- 
Kurt Seifried Red Hat Security Response Team (SRT)
PGP: 0x5E267993 A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iQIcBAEBAgAGBQJQJeeiAAoJEBYNRVNeJnmTXBIQAMP8YfmuA7bkiyiIEjzZmghm
VdR7Er8e3cPPTKCydV11/r4xr2d2+d/UUVswIXN229HONC4/x7KUVzEkPlbRJnh9
nVIgz7dbxxHmlbdSkfm8zxd7uYvWxe2IddNr80wd6skgRF1YG26+Md7nhuV/A01e
1m+qNgX1BzwoVvL3jIUKVL9thQj3IMXTqQg6OhLVE7XsPPmeHqZorgBLvRzJgAKT
3bamyIRziKMs3zxg4djEVqgv1ZtK6wkr89XgQmhW9y9oHJADub7FphrnPx3g58DR
1og2keDQXrGs0kzAvUOPif7ApzzzhRfkinREve4H9qySvXGu0zFZgiYYe3CfaMiz
L1+1ntfWcNnmrFVYte8/CKtM1H43WK93Tu7TMwWcXie5v2I55mc44EAD6B0pwOEH
uoy1Q8z5ZVnsiv3JTuadtwJ1HP0c4tWQ+bMiYvPC7wRHKqY7rSQ5h9loIXH0Sycn
fLmOf4e9cEruuUp30OeKWj8afMVDVS4ofSlknbW9t0pGhEQ0F4ejku43gb3ql8bn
BFfXnao6epqpWRSePacFh7VHF5AxmlZW/xc4RlZjKUv2R4o9kQTpdocEGXKdyFTH
85yhrqmghiH+Nk5QrrNxdSqrfqbbT8LP626QXPsPEq791xLnLcTz4JEoZ62a2qhk
zqR4IzF7p5V2UEX8scvp
=6Aoa
-----END PGP SIGNATURE-----