[UNIX] Rssh and Scponly Arbitrary Command Execution

From: SecuriTeam (support_at_securiteam.com)
Date: 12/16/04

  • Next message: SecuriTeam: "[UNIX] Blog Torrent Arbitrary File Downloading"
    To: list@securiteam.com
    Date: 16 Dec 2004 15:03:01 +0200

    The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
    - - promotion

    The SecuriTeam alerts list - Free, Accurate, Independent.

    Get your security news from a reliable source.

    - - - - - - - - -

      Rssh and Scponly Arbitrary Command Execution


     <http://www.pizzashack.org/rssh/index.shtml> rssh and
    <http://www.sublimation.org/scponly/> scponly are restricted shells that
    are designed to allow execution only of certain preset programs. Both are
    used to grant a user the ability to transfer files to and from a remote
    host without granting full shell access. Due to the fact that most of the
    preset programs offer options that execute other programs, arbitrary
    command execution on the remote host is possible.


    rssh allows any of five predefined programs to be executed on the remote
    host depending on the configuration. Those that are known to be vulnerable
    in combination with the techniques described in this posting are marked
    with an asterisk.
     * scp*
     * sftp-server
     * cvs
     * rdist*
     * rsync*

    scponly allows a number of predefined programs to be executed on the
    remote host depending on compile-time options. Those that are known to be
    vulnerable when used with scponly:
     * scp
     * rsync
     * unison (*untested)

    The program execution options that these programs offer:
    rdist -P <program>
    rsync -e <program>
    scp -S <program>
    unison -rshcmd <program>
    unison -sshcmd <program>

    These options allow the user to specify the location of the shell to use
    when connecting to the remote host. No restriction is placed on what
    programs may be specified by these options, and rssh and scponly do not
    filter these options out. The end result is that although a user may be
    restricted by rssh or scponly to running e.g. only /usr/bin/scp, they can
    in fact execute any program using /usr/bin/scp -S <program>.

    The problem is compounded when you recognize that the main use of rssh and
    scponly is to allow file transfers, which in turn allows a malicious user
    to transfer and execute entire custom scripts on the remote machine.

    rssh with sftp-server does not appear to be vulnerable. rssh with cvs is
    also not vulnerable using these techniques. However, it is quite probable
    that a malicious user could check out a carefully crafted CVS repository
    and execute arbitrary commands using CVS's hooks interface.

     ssh restricteduser@remotehost 'rsync -e "touch /tmp/example --"
    localhost:/dev/null /tmp'
     scp command.sh restricteduser@remotehost:/tmp/command.sh
     ssh restricteduser@remotehost 'scp -S /tmp/command.sh localhost:/dev/null

    There are no workarounds for this problem.

    Jason has talked with the author of rssh, Derek Martin. He is currently
    indisposed for an indefinite period of time due to changing countries and
    having no permanent home at the present moment. Moreover he has other
    priorities and has lost interest in maintaining the program. He has
    offered to assist anyone who would like to take over maintainership of
    rssh, but he does not intend to provide a fix for the current problem.
    Given this fact, Jason would strongly recommend against using rssh at this

    The author of scponly, Joe Boyle, has prepared a new release, version 4.0,
    that addresses the current problem.

    Distributor updates have been coordinated with this posting and should be
    available soon.

    Jason thinks the long-term solution for those needing a highly secure
    restricted shell is to allow granular configuration by administrators of
    which options and arguments, if any, are allowed to be specified for which
    programs. In the most restricted case entire command lines would be stored
    on the remote host and the client would be allowed only to select from the
    list of available command lines. I'm not aware of any software that offers
    these capabilities today.


    The information has been provided by <mailto:jason@xc.net> Jason Wies.


    This bulletin is sent to members of the SecuriTeam mailing list.
    To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
    In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com


    The information in this bulletin is provided "AS IS" without warranty of any kind.
    In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.

  • Next message: SecuriTeam: "[UNIX] Blog Torrent Arbitrary File Downloading"