ID CVE-2004-1162 Type cve Reporter NVD Modified 2017-07-10T21:30:47
Description
The unison command in scponly before 4.0 does not properly restrict programs that can be run, which could allow remote authenticated users to bypass intended access restrictions and execute arbitrary programs via the (1) -rshcmd or (2) -sshcmd flags.
{"result": {"osvdb": [{"id": "OSVDB:12183", "type": "osvdb", "title": "scponly scp -S Arbitrary Remote Command Execution", "description": "## Vulnerability Description\nscponly contains a flaw that may allow a remote malicious user to bypass certain security restrictions. The issue is triggered when 'scp -S' is used with scponly. The problem is that some of the predefined applications support flags (-S), which allow command execution. It is possible that the flaw may allow an attacker to bypass the shell restriction and execute arbitrary commands resulting in a loss of integrity.\n## Solution Description\nUpgrade to version 4.0 or higher, as it has been reported to fix this vulnerability. An upgrade is required as there are no known workarounds.\n## Short Description\nscponly contains a flaw that may allow a remote malicious user to bypass certain security restrictions. The issue is triggered when 'scp -S' is used with scponly. The problem is that some of the predefined applications support flags (-S), which allow command execution. It is possible that the flaw may allow an attacker to bypass the shell restriction and execute arbitrary commands resulting in a loss of integrity.\n## References:\nVendor URL: http://www.sublimation.org/scponly/\nSecurity Tracker: 1012418\n[Secunia Advisory ID:13369](https://secuniaresearch.flexerasoftware.com/advisories/13369/)\n[Secunia Advisory ID:13364](https://secuniaresearch.flexerasoftware.com/advisories/13364/)\n[Related OSVDB ID: 12182](https://vulners.com/osvdb/OSVDB:12182)\nOther Advisory URL: http://security.gentoo.org/glsa/glsa-200412-01.xml\nMail List Post: http://archives.neohapsis.com/archives/bugtraq/2004-12/0020.html\nISS X-Force ID: 18362\n[CVE-2004-1162](https://vulners.com/cve/CVE-2004-1162)\n", "published": "2004-12-02T09:10:47", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "href": "https://vulners.com/osvdb/OSVDB:12183", "cvelist": ["CVE-2004-1162"], "lastseen": "2017-04-28T13:20:07"}], "gentoo": [{"id": "GLSA-200412-01", "type": "gentoo", "title": "rssh, scponly: Unrestricted command execution", "description": "### Background\n\nrssh and scponly are two restricted shells, allowing only a few predefined commands. They are often used as a complement to OpenSSH to provide access to remote users without providing any remote execution privileges. \n\n### Description\n\nJason Wies discovered that when receiving an authorized command from an authorized user, rssh and scponly do not filter command-line options that can be used to execute any command on the target host. \n\n### Impact\n\nUsing a malicious command, it is possible for a remote authenticated user to execute any command (or upload and execute any file) on the target machine with user rights, effectively bypassing any restriction of scponly or rssh. \n\n### Workaround\n\nThere is no known workaround at this time. \n\n### Resolution\n\nAll scponly users should upgrade to the latest version: \n \n \n # emerge --sync\n # emerge --ask --oneshot --verbose \">=net-misc/scponly-4.0\"\n\nAll rssh users should upgrade to the latest version: \n \n \n # emerge --sync\n # emerge --ask --oneshot --verbose \">=app-shells/rssh/rssh-2.2.3\"", "published": "2004-12-03T00:00:00", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "href": "https://security.gentoo.org/glsa/200412-01", "cvelist": ["CVE-2004-1162", "CVE-2004-1161"], "lastseen": "2016-09-06T19:46:43"}], "nessus": [{"id": "FREEBSD_PKG_F11B219A44B611D9AE2F021106004FD6.NASL", "type": "nessus", "title": "FreeBSD : rssh & scponly -- arbitrary command execution (f11b219a-44b6-11d9-ae2f-021106004fd6)", "description": "Jason Wies identified both rssh & scponly have a vulnerability that allows arbitrary command execution. He reports :\n\nThe problem is compounded when you recognize that the main use of rssh and scponly is to allow file transfers, which in turn allows a malicious user to transfer and execute entire custom scripts on the remote machine.", "published": "2005-07-13T00:00:00", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "href": "https://www.tenable.com/plugins/index.php?view=single&id=19165", "cvelist": ["CVE-2004-1162", "CVE-2004-1161"], "lastseen": "2017-10-29T13:45:53"}, {"id": "GENTOO_GLSA-200412-01.NASL", "type": "nessus", "title": "GLSA-200412-01 : rssh, scponly: Unrestricted command execution", "description": "The remote host is affected by the vulnerability described in GLSA-200412-01 (rssh, scponly: Unrestricted command execution)\n\n Jason Wies discovered that when receiving an authorized command from an authorized user, rssh and scponly do not filter command-line options that can be used to execute any command on the target host.\n Impact :\n\n Using a malicious command, it is possible for a remote authenticated user to execute any command (or upload and execute any file) on the target machine with user rights, effectively bypassing any restriction of scponly or rssh.\n Workaround :\n\n There is no known workaround at this time.", "published": "2004-12-04T00:00:00", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "href": "https://www.tenable.com/plugins/index.php?view=single&id=15903", "cvelist": ["CVE-2004-1162", "CVE-2004-1161"], "lastseen": "2017-10-29T13:34:05"}], "openvas": [{"id": "OPENVAS:52284", "type": "openvas", "title": "FreeBSD Ports: rssh", "description": "The remote host is missing an update to the system\nas announced in the referenced advisory.", "published": "2008-09-04T00:00:00", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "href": "http://plugins.openvas.org/nasl.php?oid=52284", "cvelist": ["CVE-2004-1162", "CVE-2004-1161"], "lastseen": "2017-07-02T21:10:15"}, {"id": "OPENVAS:54760", "type": "openvas", "title": "Gentoo Security Advisory GLSA 200412-01 (scponly)", "description": "The remote host is missing updates announced in\nadvisory GLSA 200412-01.", "published": "2008-09-24T00:00:00", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "href": "http://plugins.openvas.org/nasl.php?oid=54760", "cvelist": ["CVE-2004-1162", "CVE-2004-1161"], "lastseen": "2017-07-24T12:50:02"}]}}
