Package: rsh-client Version: 0.17-24 Severity: grave Tags: security Dear Maintainer,
netkit-rcp, shipped for Debian in the rsh-client package (https://packages.debian.org/bookworm/rsh-client) is vulnerable to a command injection. I am reaching to you as I could not find the upstream URL of the developpers (I think the project may be unmaintained). Moritz Mühlenhoff <j...@inutil.org> confirmed there was no upstream for it Details: Tested on rsh-client version 0.17-24: ``` $ apt showsrc rsh-client Package: netkit-rsh Binary: rsh-client, rsh-server Version: 0.17-24 Maintainer: Debian QA Group <packa...@qa.debian.org> [...] ``` Any of the "fN" (files) or "directory" options of the netkit-rcp command line can be used to inject commands. Below is an example injecting a "whoami" command: ``` $ ltrace /usr/bin/netkit-rcp "test" ";whoami" getopt(3, 0x7ffd134ccc38, "dfprt") = -1 getservbyname("shell", "tcp") = 0x7f1846a37dc0 getuid() = 1000 getpwuid(1000, 0x7f18469f62ff, 0, 0x7f18469322f7) = 0x7f1846a36a00 snprintf("rcp", 64, "rcp%s%s%s", "", "", "") = 3 signal(SIGPIPE, 0x55c473e09bbc) = 0 strlen("test") = 4 strlen(";whoami") = 7 malloc(38) = 0x55c47528fed0 snprintf("/bin/cp test ;whoami", 38, "%s%s%s %s %s", "/bin/cp", "", "", "test", ";whoami") = 20 vfork(0x55c47528fed0, 0x55c473e0b14f, 0, 1) = 0x3967b2 signal(SIGINT, 0x1) = 0 signal(SIGQUIT, 0x1) = 0 wait(0x7ffd134cca40/bin/cp: missing destination file operand after 'test' Try '/bin/cp --help' for more information. kali <== "whoami" result <no return ...> --- SIGCHLD (Child exited) --- <... wait resumed> ) = 3762098 signal(SIGINT, 0) = 0x1 signal(SIGQUIT, 0) = 0x1 free(0x55c47528fed0) = <void> exit(0 <no return ...> +++ exited (status 0) +++ ``` The faulty code is located in susystem() in rcp/rcp.c: ``` 412 static int 413 susystem(const char *s) 414 { 415 int status, pid, w; 416 sighandler istat, qstat; 417 418 if ((pid = vfork()) == 0) { 419 const char *args[4]; 420 const char **argsfoo; 421 char **argsbar; 422 if (setuid(userid)) { 423 fprintf(stderr, "rcp: child: setuid: %s\n", 424 strerror(errno)); 425 _exit(1); 426 } 427 args[0] = "sh"; 428 args[1] = "-c"; 429 args[2] = s; 430 args[3] = NULL; 431 /* Defeat C type system to permit passing char ** to execve */ 432 argsfoo = args; 433 memcpy(&argsbar, &argsfoo, sizeof(argsfoo)); 434 execve(_PATH_BSHELL, argsbar, saved_environ); 435 _exit(127); 436 } ``` A child process is executing "sh -c" (l.434) with no filtering of user input. Note that /usr/bin/netkit-rcp is a root SUID binary on Debian but that the above code drop privileges before executing the command, preventing privilege escalation (l. 422). There still is a risk as an attacker able to manipulate filenames of either sources or destination could use it to execute arbitrary commands. IMO the "sh -c" approach is bad and should be replaced with more secure API calls to execv("/bin/cp", args) or equivalent. Best regards, -- System Information: Distributor ID: Kali Description: Kali GNU/Linux Rolling Release: 2022.3 Codename: kali-rolling Architecture: x86_64 Kernel: Linux 5.18.0-kali5-amd64 (SMP w/4 CPU threads; PREEMPT) Kernel taint flags: TAINT_UNSIGNED_MODULE Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), LANGUAGE not set Shell: /bin/sh linked to /usr/bin/dash Init: systemd (via /run/systemd/system) LSM: AppArmor: enabled Versions of packages rsh-client depends on: ii libc6 2.36-4 rsh-client recommends no packages. rsh-client suggests no packages. -- no debconf information