[17784] in bugtraq
Re: possible bug in rcp...
daemon@ATHENA.MIT.EDU (Roman Drahtmueller)
Fri Nov 24 15:03:56 2000
Mime-Version: 1.0
Content-Type: TEXT/PLAIN; charset=ISO-8859-1
Content-Transfer-Encoding: 8BIT
Message-Id: <Pine.LNX.4.21.0011240128110.8230-100000@dent.suse.de>
Date: Fri, 24 Nov 2000 01:43:22 +0100
Reply-To: Roman Drahtmueller <draht@SUSE.DE>
From: Roman Drahtmueller <draht@SUSE.DE>
To: BUGTRAQ@SECURITYFOCUS.COM
In-Reply-To: <20001122140823.T35867@deceptively.shady.org>
> > Here is a possible bug in rcp; since I think it calls system(). I
> > haven't had much time to play with this, because exama are coming up.
> >
> > It is negated because system() calls /bin/cp which with the newer
> > versions of bash, it drops it's effective credientals...
[...]
> > $ rcp 'bob bobalina; /usrt/bin/id;' 127.0.0.1
> > uid=500(andrewg) gid=500(andrewg) groups=500(andrewg)
> > sh: 127.0.0.1: command not found.
> >
> > Now doing a quick ltrace - it doesn't remove ; and ` and other fun
> > stuff. This could probably be exploited, on older bash bersions?
> >
> > It's up to you guys/girls now, I should start to study...
> >
> > Andrew Griffiths
>
> just a wee exploit to help the boys and girls along innit
>
> tlabs
The code below reveals the sequence vfork(); setuid(getuid());
execve("/bin/sh",args,envp);
=> if you do shell escape-tricks, it bites you back.
Since your daemon on the server side runs `rcp -t <target-dir>4 from a
shell, the following can happen: `rcp foo remhost:'/tmp;chmod 777 .'4
But then again, if it hurts, why do you do it?
if (setuid(userid)) {
fprintf(stderr, "rcp: child: setuid: %s\n",
strerror(errno));
_exit(1);
}
args[0] = "sh";
args[1] = "-c";
args[2] = s;
args[3] = NULL;
/* Defeat C type system to permit passing char ** to
execve */
argsfoo = args;
memcpy(&argsbar, &argsfoo, sizeof(argsfoo));
execve(_PATH_BSHELL, argsbar, saved_environ);
_exit(127);
Roman.
--
- -
| Roman Drahtm|ller <draht@suse.de> // "Caution: Cape does |
SuSE GmbH - Security Phone: // not enable user to fly."
| N|rnberg, Germany +49-911-740530 // (Batman Costume warning label) |
- -
