Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Exploits-HackingTools
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

[UNIX] Rssh and Scponly Arbitrary Command Execution

from [SecuriTeam] Network Security [Permanent Link]
Subject: [UNIX] Rssh and Scponly Arbitrary Command Execution
Date: 16 Dec 2004 15:03:01 +0200 
The following security advisory is sent to the securiteam mailing list, and can 
be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion

The SecuriTeam alerts list - Free, Accurate, Independent.

Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html 

- - - - - - - - -



  Rssh and Scponly Arbitrary Command Execution
------------------------------------------------------------------------


SUMMARY

 <http://www.pizzashack.org/rssh/index.shtml> rssh and  
<http://www.sublimation.org/scponly/> scponly are restricted shells that 
are designed to allow execution only of certain preset programs.  Both are 
used to grant a user the ability to transfer files to and from a remote 
host without granting full shell access. Due to the fact that most of the 
preset programs offer options that execute other programs, arbitrary 
command execution on the remote host is possible.

DETAILS

rssh allows any of five predefined programs to be executed on the remote 
host depending on the configuration. Those that are known to be vulnerable 
in combination with the techniques described in this posting are marked 
with an asterisk.
 * scp*
 * sftp-server
 * cvs
 * rdist*
 * rsync*

scponly allows a number of predefined programs to be executed on the 
remote host depending on compile-time options. Those that are known to be 
vulnerable when used with scponly:
 * scp
 * rsync
 * unison (*untested)

The program execution options that these programs offer:
rdist -P <program>
rsync -e <program>
scp -S <program>
unison -rshcmd <program>
unison -sshcmd <program>

These options allow the user to specify the location of the shell to use 
when connecting to the remote host. No restriction is placed on what 
programs may be specified by these options, and rssh and scponly do not 
filter these options out. The end result is that although a user may be 
restricted by rssh or scponly to running e.g. only /usr/bin/scp, they can 
in fact execute any program using /usr/bin/scp -S <program>.

The problem is compounded when you recognize that the main use of rssh and 
scponly is to allow file transfers, which in turn allows a malicious user 
to transfer and execute entire custom scripts on the remote machine.

rssh with sftp-server does not appear to be vulnerable. rssh with cvs is 
also not vulnerable using these techniques. However, it is quite probable 
that a malicious user could check out a carefully crafted CVS repository 
and execute arbitrary commands using CVS's hooks interface.

Examples:
 ssh restricteduser@remotehost 'rsync -e "touch /tmp/example --" 
localhost:/dev/null /tmp'
 scp command.sh restricteduser@remotehost:/tmp/command.sh
 ssh restricteduser@remotehost 'scp -S /tmp/command.sh localhost:/dev/null 
/tmp'

Solution:
There are no workarounds for this problem.

Jason has talked with the author of rssh, Derek Martin. He is currently 
indisposed for an indefinite period of time due to changing countries and 
having no permanent home at the present moment. Moreover he has other 
priorities and has lost interest in maintaining the program. He has 
offered to assist anyone who would like to take over maintainership of 
rssh, but he does not intend to provide a fix for the current problem. 
Given this fact, Jason would strongly recommend against using rssh at this 
time.

The author of scponly, Joe Boyle, has prepared a new release, version 4.0, 
that addresses the current problem.

Distributor updates have been coordinated with this posting and should be 
available soon.

Jason thinks the long-term solution for those needing a highly secure 
restricted shell is to allow granular configuration by administrators of 
which options and arguments, if any, are allowed to be specified for which 
programs. In the most restricted case entire command lines would be stored 
on the remote host and the client would be allowed only to select from the 
list of available command lines. I'm not aware of any software that offers 
these capabilities today.


ADDITIONAL INFORMATION

The information has been provided by  <mailto:jason@xc.net> Jason Wies.



======================================== 


This bulletin is sent to members of the SecuriTeam mailing list. 
To unsubscribe from the list, send mail with an empty subject line and body to: 
list-unsubscribe@securiteam.com 
In order to subscribe to the mailing list, simply forward this email to: 
list-subscribe@securiteam.com 


==================== 
==================== 

DISCLAIMER: 
The information in this bulletin is provided "AS IS" without warranty of any 
kind. 
In no event shall we be liable for any damages whatsoever including direct, 
indirect, incidental, consequential, loss of business profits or special 
damages.
[More with this subject...]




<Prev in Thread] Current Thread [Next in Thread>
  • [UNIX] Rssh and Scponly Arbitrary Command Execution, SecuriTeam <=
Previous by Date:  [NT] Microsoft Windows XP Firewall Default Configuration Vulnerability (SP2, Local Subnet), SecuriTeam
Next by Date:  [UNIX] Blog Torrent Arbitrary File Downloading, SecuriTeam
Previous by Thread:  [NT] Microsoft Windows XP Firewall Default Configuration Vulnerability (SP2, Local Subnet), SecuriTeam
Next by Thread:  [UNIX] Blog Torrent Arbitrary File Downloading, SecuriTeam
Indexes:  [Date] [Thread] [Top] [All Lists]