Bugtraq mailing list archives
Re: possible bug in rcp...
From: Roman Drahtmueller <draht () SUSE DE>
Date: Fri, 24 Nov 2000 01:43:22 +0100
Here is a possible bug in rcp; since I think it calls system(). I haven't had much time to play with this, because exama are coming up. It is negated because system() calls /bin/cp which with the newer versions of bash, it drops it's effective credientals...
[...]
$ rcp 'bob bobalina; /usrt/bin/id;' 127.0.0.1 uid=500(andrewg) gid=500(andrewg) groups=500(andrewg) sh: 127.0.0.1: command not found. Now doing a quick ltrace - it doesn't remove ; and ` and other fun stuff. This could probably be exploited, on older bash bersions? It's up to you guys/girls now, I should start to study... Andrew Griffithsjust a wee exploit to help the boys and girls along innit tlabs
The code below reveals the sequence vfork(); setuid(getuid());
execve("/bin/sh",args,envp);
=> if you do shell escape-tricks, it bites you back.
Since your daemon on the server side runs `rcp -t <target-dir>´ from a
shell, the following can happen: `rcp foo remhost:'/tmp;chmod 777 .'´
But then again, if it hurts, why do you do it?
if (setuid(userid)) {
fprintf(stderr, "rcp: child: setuid: %s\n",
strerror(errno));
_exit(1);
}
args[0] = "sh";
args[1] = "-c";
args[2] = s;
args[3] = NULL;
/* Defeat C type system to permit passing char ** to
execve */
argsfoo = args;
memcpy(&argsbar, &argsfoo, sizeof(argsfoo));
execve(_PATH_BSHELL, argsbar, saved_environ);
_exit(127);
Roman.
--
- -
| Roman Drahtmüller <draht () suse de> // "Caution: Cape does |
SuSE GmbH - Security Phone: // not enable user to fly."
| Nürnberg, Germany +49-911-740530 // (Batman Costume warning label) |
- -
Current thread:
- Info on Sun key compromise? Lucky Green (Oct 31)