[17789] in bugtraq
Re: possible bug in rcp...
daemon@ATHENA.MIT.EDU (Dan Stromberg)
Fri Nov 24 15:36:40 2000
Mime-Version: 1.0
Content-Type: multipart/signed; micalg=pgp-md5;
protocol="application/pgp-signature"; boundary="PHCdUe6m4AxPMzOu"
Content-Disposition: inline
Message-Id: <20001123151325.F1785@seki.acs.uci.edu>
Date: Thu, 23 Nov 2000 15:13:25 -0800
Reply-To: Dan Stromberg <strombrg@NIS.ACS.UCI.EDU>
From: Dan Stromberg <strombrg@NIS.ACS.UCI.EDU>
X-To: tlabs <tlabs@DECEPTIVELY.SHADY.ORG>
To: BUGTRAQ@SECURITYFOCUS.COM
In-Reply-To: <20001122140823.T35867@deceptively.shady.org>; from
tlabs@DECEPTIVELY.SHADY.ORG on Wed, Nov 22,
2000 at 02:08:23PM +0000
--PHCdUe6m4AxPMzOu
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable
On Wed, Nov 22, 2000 at 02:08:23PM +0000, tlabs wrote:
> On Wed, Nov 22, 2000 at 09:11:20AM +1100, Andrew Griffiths wrote:
> > Here is a possible bug in rcp; since I think it calls system(). I
> > haven't had much time to play with this, because exama are coming up.
> >
> > It is negated because system() calls /bin/cp which with the newer
> > versions of bash, it drops it's effective credientals...
> >
> > $ ls -alF `which rcp`
> > -rwsr-xr-x 1 root root 14492 Jul 21 22:43
> > /usr/sbin/rcp
> >
> > $ cd /tmp
> > $ echo bla > bob
> > $ rcp 'bob bobalina; /usrt/bin/id;' 127.0.0.1
> > uid=3D500(andrewg) gid=3D500(andrewg) groups=3D500(andrewg)
> > sh: 127.0.0.1: command not found.
> >
> > Now doing a quick ltrace - it doesn't remove ; and ` and other fun
> > stuff. This could probably be exploited, on older bash bersions?
> >
> > It's up to you guys/girls now, I should start to study...
> >
> > Andrew Griffiths
>=20
> just a wee exploit to help the boys and girls along innit
>=20
> tlabs
Doesn't work for me.
I prowled around with strace and truss.
Redhat 6.2 doesn't appear to use cp.
Solaris 2.6 does, but the setuid and setgid in the exploit just gave
eperm. rcp appears to be giving up privilege before exec'ing sh.
It'd be nice to have a clear indication of what OSes this is supposed
to work on. The reference to bash above made me suspect a linux
variant, but in light of what strace said, that doesn't sound likely.
--=20
Dan Stromberg UCI/NACS/DCS
--PHCdUe6m4AxPMzOu
Content-Type: application/pgp-signature
Content-Disposition: inline
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.4 (GNU/Linux)
Comment: For info see http://www.gnupg.org
iD8DBQE6HaSTo0feVm00f/8RAqBYAJ9BB4AhtPwCAwy7VPhuLC9doJ8HowCfaljw
FQrgFVZf7ba5cdkVGLfYTxE=
=AlGc
-----END PGP SIGNATURE-----
--PHCdUe6m4AxPMzOu--
