Vulnerability Development mailing list archives

Re: possible rcp hole...

From: Joe <joe () blarg net>
Date: Fri, 24 Nov 2000 19:04:43 -0800

On Wed, 22 Nov 2000, H D Moore wrote:

On SuSE 6.4 rcp is not vulnerable. I replaced /bin/sh with this program:


[snip]

The rcp program executed my shell with:

$ rcp 'file1 file2;' 127.0.0.1

Which dopped me into the ubersh, where my privs were still that of my user
account.  I am pretty sure rcp drops privs before calling anything (only uses
it for the port bindings), let alone system, or we would have heard something
about this before.


Just for the record, results were identical with my RH 6.2 box. The supplied
exploit does create the shell program but without any elevated privs.

--
Joe                                     Technical Support
General Support:  support () blarg net     Blarg! Online Services, Inc.
Voice:  425/401-9821 or 888/66-BLARG    http://www.blarg.net

Current thread:

possible rcp hole... Andrew Griffiths (Nov 22)
- Re: possible rcp hole... Luciano Miguel Ferreira Rocha (Nov 23)
- Re: possible rcp hole... H D Moore (Nov 25)
  - Re: possible rcp hole... Joe (Nov 27)