Vulnerability Development mailing list archives
Re: possible rcp hole...
From: Luciano Miguel Ferreira Rocha <strange () nsk yi org>
Date: Wed, 22 Nov 2000 09:32:18 -0500
Hello! On Wed, Nov 22, 2000 at 09:11:20AM +1100, Andrew Griffiths wrote:
It is negated because system() calls /bin/cp which with the newer versions of bash, it drops it's effective credientals...
On my system, redhat 7.0, the rcp program doesn't call the system function but a susytem function, that does a setuid(getuid()), so all extra privilledges are lost. $ rpm -qf /usr/bin/rcp rsh-0.17-2.2 rcp.c, 396-404: (void)setuid(userid); args[0] = "sh"; args[1] = "-c"; args[2] = s; args[3] = NULL; /* Defeat C type system to permit passing char ** to execve */ argsfoo = args; memcpy(&argsbar, &argsfoo, sizeof(argsfoo)); execve(_PATH_BSHELL, argsbar, saved_environ); hugs Luciano Rocha
Current thread:
- possible rcp hole... Andrew Griffiths (Nov 22)
- Re: possible rcp hole... Luciano Miguel Ferreira Rocha (Nov 23)
- Re: possible rcp hole... H D Moore (Nov 25)
- Re: possible rcp hole... Joe (Nov 27)