OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
Subject: Re: possible bug in rcp...
From: Dan Stromberg (strombrgNIS.ACS.UCI.EDU)
Date: Thu Nov 23 2000 - 17:13:25 CST

On Wed, Nov 22, 2000 at 02:08:23PM +0000, tlabs wrote:
> On Wed, Nov 22, 2000 at 09:11:20AM +1100, Andrew Griffiths wrote:
> > Here is a possible bug in rcp; since I think it calls system(). I
> > haven't had much time to play with this, because exama are coming up.
> >
> > It is negated because system() calls /bin/cp which with the newer
> > versions of bash, it drops it's effective credientals...
> >
> > $ ls -alF `which rcp`
> > -rwsr-xr-x 1 root root 14492 Jul 21 22:43
> > /usr/sbin/rcp
> >
> > $ cd /tmp
> > $ echo bla > bob
> > $ rcp 'bob bobalina; /usrt/bin/id;' 127.0.0.1
> > uid=500(andrewg) gid=500(andrewg) groups=500(andrewg)
> > sh: 127.0.0.1: command not found.
> >
> > Now doing a quick ltrace - it doesn't remove ; and ` and other fun
> > stuff. This could probably be exploited, on older bash bersions?
> >
> > It's up to you guys/girls now, I should start to study...
> >
> > Andrew Griffiths
>
> just a wee exploit to help the boys and girls along innit
>
> tlabs

Doesn't work for me.

I prowled around with strace and truss.

Redhat 6.2 doesn't appear to use cp.

Solaris 2.6 does, but the setuid and setgid in the exploit just gave
eperm. rcp appears to be giving up privilege before exec'ing sh.

It'd be nice to have a clear indication of what OSes this is supposed
to work on. The reference to bash above made me suspect a linux
variant, but in light of what strace said, that doesn't sound likely. 

-- 
Dan Stromberg                                               UCI/NACS/DCS
  • application/pgp-signature attachment: stored