rssh -S Arbitrary Remote Command Execution

2004-12-02T13:51:43
ID OSVDB:12182
Type osvdb
Reporter Jason Wies(jason@xc.net)
Modified 2004-12-02T13:51:43

Description

Vulnerability Description

rssh contains a flaw that may allow a remote attacker to execute arbitrary commands. The issue is due to the scp, rdist, and rsync applications permitting flags that specify remote commands for execution. The issues exist with the scp -S, rdist -P, and rsync -e commands.

Solution Description

Upgrade to version 2.2.3 or higher, as it has been reported to fix this vulnerability. An upgrade is required as there are no known workarounds.

Short Description

rssh contains a flaw that may allow a remote attacker to execute arbitrary commands. The issue is due to the scp, rdist, and rsync applications permitting flags that specify remote commands for execution. The issues exist with the scp -S, rdist -P, and rsync -e commands.

Manual Testing Notes

ssh [victim] 'rsync -e "touch /tmp/example --" localhost:/dev/null /tmp'

scp command.sh [victim]:/tmp/command.sh ssh [victim] 'scp -S /tmp/command.sh localhost:/dev/null /tmp'

References:

Vendor URL: http://www.pizzashack.org/rssh/index.shtml Security Tracker: 1012417 Secunia Advisory ID:13363 Secunia Advisory ID:13379 Related OSVDB ID: 12183 Other Advisory URL: http://www.gentoo.org/security/en/glsa/glsa-200412-01.xml Other Advisory URL: http://security.gentoo.org/glsa/glsa-200412-01.xml Nessus Plugin ID:15903 Mail List Post: http://archives.neohapsis.com/archives/bugtraq/2004-12/0020.html Mail List Post: http://archives.neohapsis.com/archives/bugtraq/2005-01/0171.html Keyword: TCP port 22 CVE-2004-1161 Bugtraq ID: 11792