Vulnerability Development mailing list archives
Re: possible rcp hole...
From: Joe <joe () blarg net>
Date: Fri, 24 Nov 2000 19:04:43 -0800
On Wed, 22 Nov 2000, H D Moore wrote:
On SuSE 6.4 rcp is not vulnerable. I replaced /bin/sh with this program:
[snip]
The rcp program executed my shell with: $ rcp 'file1 file2;' 127.0.0.1 Which dopped me into the ubersh, where my privs were still that of my user account. I am pretty sure rcp drops privs before calling anything (only uses it for the port bindings), let alone system, or we would have heard something about this before.
Just for the record, results were identical with my RH 6.2 box. The supplied exploit does create the shell program but without any elevated privs. -- Joe Technical Support General Support: support () blarg net Blarg! Online Services, Inc. Voice: 425/401-9821 or 888/66-BLARG http://www.blarg.net
Current thread:
- possible rcp hole... Andrew Griffiths (Nov 22)
- Re: possible rcp hole... Luciano Miguel Ferreira Rocha (Nov 23)
- Re: possible rcp hole... H D Moore (Nov 25)
- Re: possible rcp hole... Joe (Nov 27)