[Outofthebox] problema con scponlyc [Risolto]
isazi
isazi at olografix.org
Tue Mar 21 22:55:52 CET 2006
On Tuesday 21 March 2006 22:46, Lonely Wolf wrote:
> riabilitato?
> in che senso scusa?
Dalla 4.2 in poi:
SECURITY PROBLEM 2, reported by Pekka Pessi:
If ANY the following conditions are true, administrators using
scponly-4.1 or older may be at risk of remote scponly users
circumventing the restricted shell and executing arbitrary programs.
There is no privilege escalation and this vulnerability is
post-authentication.
* scp compatibility is enabled
* rsync compatibility is enabled
Exploit:
To exploit this vulnerability, a remote scponly user could:
* construct a malicious command line argument to either the rsync or
scp. Athough scponly does check for arguments that allow the user to
specify a program to run, it does not use getopt() style processing to
locate these potentially malicious arguments. For example, the
potentially malicious scp argument "-S program" would be detected but
by combining it with the benevolent "-v" (yielding "-vS program") would
not.
Fix:
The new release of scponly-4.2:
* uses getopt to process the arguments to scp and rsync.
* does not support rsync or scp by default. henceforth, the recommended
means to use scponly is via sftp
--
Alessio "isazi" Sclocco
Metro Olografix Member
http://www.olografix.org/isazi
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 191 bytes
Desc: not available
URL: <http://mail.olografix.org/pipermail/outofthebox/attachments/20060321/c3a2ee72/attachment-0002.bin>
More information about the Outofthebox
mailing list