scponly -- local privilege escalation exploits

2005-12-21T00:00:00
ID B5A49DB7-72FC-11DA-9827-021106004FD6
Type freebsd
Reporter FreeBSD
Modified 2005-12-21T00:00:00

Description

Max Vozeler reports:

If ALL the following conditions are true, administrators using scponly-4.1 or older may be at risk of a local privilege escalation exploit:

the chrooted setuid scponlyc binary is installed regular non-scponly users have interactive shell access to the box a user executable dynamically linked setuid binary (such as ping) exists on the same file system mount as the user's home directory the operating system supports an LD_PRELOAD style mechanism to overload dynamic library loading

Pekka Pessi also reports:

If ANY the following conditions are true, administrators using scponly-4.1 or older may be at risk of a local privilege escalation exploit:

scp compatibility is enabled rsync compatibility is enabled