The 'Security Digest' Archives (TM)

Archive: About | Browse | Search | Contributions | Feedback
Site: Help | Index | Search | Contact | Notices | Changes

ARCHIVE: 'Phage List' - Archives (1988 - 1989)
DOCUMENT: phage #254 [Rich Salz took me up on my rcp(d?) bug hunt...] (1 message, 717 bytes)
SOURCE: http://securitydigest.org/exec/display?f=phage/archive/254.txt&t=text/plain
NOTICE: securitydigest.org recognises the rights of all third-party works.

START OF DOCUMENT

From: Paul A Vixie <vixie@decwrl.dec.com>
To: phage
Date: Tue 01:56:33 15/11/1988 EST
Subject: Rich Salz took me up on my rcp(d?) bug hunt...
References: [Thread Prev: 253] [Thread Next: 255] [Message Prev: 253] [Message Next: 255]

Anyone else want to take it further?

Paul

------- Forwarded Message

Date: Thu, 10 Nov 88 15:41:02 EST
From: rsalz@pineapple.bbn.com
Message-Id: <8811102041.AA04284@fig.bbn.com>
To: vixie
Subject: Re:  getting action

I haven't followed the code all the way through, but it's possible
to execute something like this
	    main(argc, argv)
		int argc;
		char **argv;
	    {
		...
		char buf[BUFSIZ], cmd[16];
		struct servent *sp;

		sp = getservbyname("shell", "tcp");
		...
                (void) sprintf(buf, "rsh %s -n %s %s '%s.%s:%s'",
                                            argv[i], cmd, src,
                                            argv[argc - 1], tuser, targ);
		...
		/* private version of system since rcp is setuid root */
		set_right_uid_system(buf);
		...

Seems like some damage could be done, but I dunno what.  You can
forward this to phage if you want...

------- End of Forwarded Message

END OF DOCUMENT