Vulnerability Development mailing list archives
Re: possible rcp hole...
From: Luciano Miguel Ferreira Rocha <strange () nsk yi org>
Date: Wed, 22 Nov 2000 09:32:18 -0500
Hello! On Wed, Nov 22, 2000 at 09:11:20AM +1100, Andrew Griffiths wrote:
It is negated because system() calls /bin/cp which with the newer versions of bash, it drops it's effective credientals...
On my system, redhat 7.0, the rcp program doesn't call the system function but a susytem function, that does a
setuid(getuid()), so all extra privilledges are lost.
$ rpm -qf /usr/bin/rcp
rsh-0.17-2.2
rcp.c, 396-404:
(void)setuid(userid);
args[0] = "sh";
args[1] = "-c";
args[2] = s;
args[3] = NULL;
/* Defeat C type system to permit passing char ** to execve */
argsfoo = args;
memcpy(&argsbar, &argsfoo, sizeof(argsfoo));
execve(_PATH_BSHELL, argsbar, saved_environ);
hugs
Luciano Rocha
Current thread:
- possible rcp hole... Andrew Griffiths (Nov 22)
- Re: possible rcp hole... Luciano Miguel Ferreira Rocha (Nov 23)
- Re: possible rcp hole... H D Moore (Nov 25)
- Re: possible rcp hole... Joe (Nov 27)