Vulnerability Development mailing list archives
possible rcp hole...
From: Andrew Griffiths <griffiths_a () scholar don tased edu au>
Date: Wed, 22 Nov 2000 09:11:20 +1100
Here is a possible bug in rcp; since I think it calls system(). I haven't had much time to play with this, because exama are coming up. It is negated because system() calls /bin/cp which with the newer versions of bash, it drops it's effective credientals... $ ls -alF `which rcp` -rwsr-xr-x 1 root root 14492 Jul 21 22:43 /usr/sbin/rcp $ cd /tmp $ echo bla > bob $ rcp 'bob bobalina; /usrt/bin/id;' 127.0.0.1 uid=500(andrewg) gid=500(andrewg) groups=500(andrewg) sh: 127.0.0.1: command not found. Now doing a quick ltrace - it doesn't remove ; and ` and other fun stuff. This could probably be exploited, on older bash bersions? It's up to you guys/girls now, I should start to study... Andrew Griffiths
Current thread:
- possible rcp hole... Andrew Griffiths (Nov 22)
- Re: possible rcp hole... Luciano Miguel Ferreira Rocha (Nov 23)
- Re: possible rcp hole... H D Moore (Nov 25)
- Re: possible rcp hole... Joe (Nov 27)