[CLUE-Tech] rcp
Jeffery Cann
fabian at jefferycann.com
Tue Sep 17 19:03:50 MDT 2002
On Monday 16 September 2002 01:55 pm, Michael J. Hammel wrote:
> I'm not sure what the problem was with the r* commands, except everyone
> kept telling me how insecure they were and I should be using the s*
> commands now instead. So I am.
rsh uses rlogin, which has a defect in setting the TERM environmental
variable. This can be easily exploited, as described here:
"In summary, rlogin is a set-user-id root program that in many implementations
contains a programming defect whereby an internal buffer can be overflowed
and arbitrary code can be executed as root. "
+http://www.cert.org/advisories/CA-1997-06.html
+http://www.sei.cmu.edu/publications/documents/98.reports/98tr017/98tr017chap02.html
Although the TERM problem has been patched, the fact that you have to suid
root is considered (in general) a probably security risk. The risk is that
one needs only to find a way to overflow a buffer in the program to be able
to do something as 'root'.
HTH,
Jeff
More information about the clue-tech
mailing list