Re: rssh Vulnerability: Command Execution with allowscp
Brought to you by:
xystrus
From: Russ A. <ea...@ey...> - 2019-01-18 03:48:35
|
Russ Allbery <ea...@ey...> writes: > + for ( ; vec && *vec; vec++ ){ At least one bug: this needs to be for ( vec++; vec && *vec; vec++ ){ since the first argument is "scp". I suspect that the rsync protocol is also vulnerable to a version of this same bug if .ssh/config is writable and is used as the ssh client path and the ssh binary is available on the server side, by sending an rsync command that tries to copy a file to localhost: similar to your second attack example. I believe tightening rssh's check that the rsync command line starts with --server would address that, since I think (but haven't confirmed) that will disable remote copies. It seems likely that there's some way of abusing cvs as well, given its huge command surface. -- Russ Allbery (ea...@ey...) <http://www.eyrie.org/~eagle/> |