Re: rssh Vulnerability: Command Execution with allowscp
Brought to you by:
xystrus
Menu
▾
▴
Re: rssh Vulnerability: Command Execution with allowscp
|
From: Russ A. <ea...@ey...> - 2019-01-18 03:48:35
|
Russ Allbery <ea...@ey...> writes:
> + for ( ; vec && *vec; vec++ ){
At least one bug: this needs to be
for ( vec++; vec && *vec; vec++ ){
since the first argument is "scp".
I suspect that the rsync protocol is also vulnerable to a version of this
same bug if .ssh/config is writable and is used as the ssh client path and
the ssh binary is available on the server side, by sending an rsync
command that tries to copy a file to localhost: similar to your second
attack example. I believe tightening rssh's check that the rsync command
line starts with --server would address that, since I think (but haven't
confirmed) that will disable remote copies.
It seems likely that there's some way of abusing cvs as well, given its
huge command surface.
--
Russ Allbery (ea...@ey...) <http://www.eyrie.org/~eagle/>
|
