Bug#470298: marked as done (rssh allows remote command execution)

Mon, 10 Mar 2008 08:10:36 -0700 

Your message dated Mon, 10 Mar 2008 16:05:35 +0100
with message-id <[EMAIL PROTECTED]>
and subject line Re: Bug#470298: Acknowledgement (rssh allows remote command 
execution)
has caused the Debian Bug report #470298,
regarding rssh allows remote command execution
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [EMAIL PROTECTED]
immediately.)


-- 
470298: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=470298
Debian Bug Tracking System
Contact [EMAIL PROTECTED] with problems
--- Begin Message --- 
Package: rssh
Version: 2.3.2-2
Severity: grave
Tags: security
Justification: user security hole

rssh allows remote command execution using shell backticks:

$ ssh [EMAIL PROTECTED] rsync "`cat /etc/issue`"

will run 'cat /etc/issue' on the remote host:

Mar 10 15:29:55 ijon rssh[11414]: setting log facility to LOG_USER
Mar 10 15:29:55 ijon rssh[11414]: setting umask to 022
Mar 10 15:29:55 ijon rssh[11414]: user liske attempted to execute forbidden 
commands
Mar 10 15:29:55 ijon rssh[11414]: command: rsync Debian GNU/Linux 4.0 \n \l


Cheers,
Thomas Liske

-- System Information:
Debian Release: 4.0
  APT prefers stable
  APT policy: (500, 'stable')
Architecture: i386 (i686)
Shell:  /bin/sh linked to /bin/bash
Kernel: Linux 2.6.18-6-686
Locale: LANG=de_DE.UTF-8, LC_CTYPE=de_DE.UTF-8 (charmap=UTF-8)

Versions of packages rssh depends on:
ii  debconf [debconf-2.0]  1.5.11etch1       Debian configuration management sy
ii  libc6                  2.3.6.ds1-13etch5 GNU C Library: Shared libraries
ii  openssh-server         1:4.3p2-9         Secure shell server, an rshd repla

rssh recommends no packages.

-- debconf information excluded

--- End Message ---
--- Begin Message --- 
Sorry for bothering with my ignorance - I just missed that bash expands
backticks inside double quotes, so there is no remote command execution.


Cheers,
Thomas Liske

--- End Message ---

Reply via email to