[13] in Best-of-Security
BoS: Linux rcp bug
daemon@ATHENA.MIT.EDU (Wietse Venema)
Wed Feb 5 03:49:50 1997
From: wietse@porcupine.org (Wietse Venema)
Date: Tue, 4 Feb 1997 16:03:21 -0500 (EST)
In-Reply-To: <Pine.LNX.3.95.970204002539.31789k-100000@ns1.fni.com> from "Michael Brennen" at Feb 4, 97 00:26:24 am
Reply-To: best-of-security@suburbia.net
Errors-To: best-of-security-request@suburbia.net
To: best-of-security@suburbia.net
Resent-From: best-of-security@suburbia.net
> SUMMARY: Root privileges can be obtained by user nobody with uid 65535 by
> exploiting a problem with /usr/bin/rcp. [server keeps root privileges]
Interesting to see old problems come back again. I reported this in 1987.
Wietse
-----BEGIN PGP SIGNED MESSAGE-----
CA-89:07
CERT Advisory
October 26, 1989
Sun RCP vulnerability
- -----------------------------------------------------------------------------
A problem has been discovered in the SunOS 4.0.x rcp. If exploited,
this problem can allow users of other trusted machines to execute
root-privilege commands on a Sun via rcp.
This affects only SunOS 4.0.x systems; 3.5 systems are not affected.
A Sun running 4.0.x rcp can be exploited by any other trusted host
listed in /etc/hosts.equiv or /.rhosts. Note that the other machine
exploiting this hole does not have to be running Unix; this
vulnerability can be exploited by a PC running PC/NFS, for example.
This bug will be fixed by Sun in version 4.1 (Sun Bug number 1017314),
but for now the following workaround is suggested by Sun:
Change the 'nobody' /etc/passwd file entry from
nobody:*:-2:-2::/:
to
nobody:*:32767:32767:Mismatched NFS ID's:/nonexistant:/nosuchshell
If you need further information about this problem, please contact
CERT by electronic mail or phone.
- -----------------------------------------------------------------------------
Computer Emergency Response Team (CERT)
Software Engineering Institute
Carnegie Mellon University
Pittsburgh, PA 15213-3890
Internet: cert@cert.org
Telephone: 412-268-7090 24-hour hotline: CERT personnel answer
7:30a.m.-6:00p.m. EST, on call for
emergencies other hours.
Past advisories and other information are available for anonymous ftp
from cert.org (192.88.209.5).
-----BEGIN PGP SIGNATURE-----
Version: 2.6.2
iQCVAwUBMaMwdHVP+x0t4w7BAQEBIgQAiCG7EKfDyc4uiFM7XLDu8QV07sgVLu/t
DZjjt8zURlBvjlkPf2NLdZr15w+DrtjHKFwbUPMEfy7k9K3CHOVi7o1CeTsBQPhD
JCQvzjGZ4RBHz7oC857qkecV45DAh1hgX5bYYZqDFFgqtDaIIMZ7bXuz9C+lky45
YVshgM88QO4=
=p0DR
-----END PGP SIGNATURE-----