[gentoo-announce] [ GLSA 200412-01 ] rssh, scponly: Unrestricted command execution - gentoo-announce

From:	Thierry Carrez <koon@g.o>
To:	gentoo-announce@l.g.o
Cc:	bugtraq@×××××××××××××.com, full-disclosure@××××××××××××.com, security-alerts@×××××××××××××.com
Subject:	[gentoo-announce] [ GLSA 200412-01 ] rssh, scponly: Unrestricted command execution
Date:	Fri, 03 Dec 2004 16:48:54
Message-Id:	`41B09896.8060906@gentoo.org`

1

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

2

Gentoo Linux Security Advisory                           GLSA 200412-01

3

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

4

                                            http://security.gentoo.org/

5

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

6

7

  Severity: Normal

8

     Title: rssh, scponly: Unrestricted command execution

9

      Date: December 03, 2004

10

      Bugs: #72815, #72816

11

        ID: 200412-01

12

13

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

14

15

Synopsis

16

========

17

18

rssh and scponly do not filter command-line options that can be

19

exploited to execute any command, thereby allowing a remote user to

20

completely bypass the restricted shell.

21

22

Background

23

==========

24

25

rssh and scponly are two restricted shells, allowing only a few

26

predefined commands. They are often used as a complement to OpenSSH to

27

provide access to remote users without providing any remote execution

28

privileges.

29

30

Affected packages

31

=================

32

33

    -------------------------------------------------------------------

34

     Package           /  Vulnerable  /                     Unaffected

35

    -------------------------------------------------------------------

36

  1  net-misc/scponly        < 4.0                              >= 4.0

37

  2  app-shells/rssh       <= 2.2.2                        Vulnerable!

38

    -------------------------------------------------------------------

39

     NOTE: Certain packages are still vulnerable. Users should migrate

40

           to another package if one is available or wait for the

41

           existing packages to be marked stable by their

42

           architecture maintainers.

43

    -------------------------------------------------------------------

44

     2 affected packages on all of their supported architectures.

45

    -------------------------------------------------------------------

46

47

Description

48

===========

49

50

Jason Wies discovered that when receiving an authorized command from an

51

authorized user, rssh and scponly do not filter command-line options

52

that can be used to execute any command on the target host.

53

54

Impact

55

======

56

57

Using a malicious command, it is possible for a remote authenticated

58

user to execute any command (or upload and execute any file) on the

59

target machine with user rights, effectively bypassing any restriction

60

of scponly or rssh.

61

62

Workaround

63

==========

64

65

There is no known workaround at this time.

66

67

Resolution

68

==========

69

70

All scponly users should upgrade to the latest version:

71

72

    # emerge --sync

73

    # emerge --ask --oneshot --verbose ">=net-misc/scponly-4.0"

74

75

Currently, there is no released version of rssh that contains a fix for

76

these issues. The author declared that he cannot provide a fixed

77

version at this time. Therefore, the rssh package has been hard-masked

78

prior to complete removal from Portage, and current users are advised

79

to unmerge the package.

80

81

References

82

==========

83

84

  [ 1 ] BugTraq Posting

85

86

http://www.securityfocus.com/archive/1/383046/2004-11-30/2004-12-06/0

87

88

Availability

89

============

90

91

This GLSA and any updates to it are available for viewing at

92

the Gentoo Security Website:

93

94

  http://security.gentoo.org/glsa/glsa-200412-01.xml

95

96

Concerns?

97

=========

98

99

Security is a primary focus of Gentoo Linux and ensuring the

100

confidentiality and security of our users machines is of utmost

101

importance to us. Any security concerns should be addressed to

102

security@g.o or alternatively, you may file a bug at

103

http://bugs.gentoo.org.

104

105

License

106

=======

107

108

Copyright 2004 Gentoo Foundation, Inc; referenced text

109

belongs to its owner(s).

110

111

The contents of this document are licensed under the

112

Creative Commons - Attribution / Share Alike license.

113

114

http://creativecommons.org/licenses/by-sa/2.0

Gentoo Archives: gentoo-announce

Attachments

1	- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
2	Gentoo Linux Security Advisory GLSA 200412-01
3	- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
4	http://security.gentoo.org/
5	- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
6
7	Severity: Normal
8	Title: rssh, scponly: Unrestricted command execution
9	Date: December 03, 2004
10	Bugs: #72815, #72816
11	ID: 200412-01
12
13	- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
14
15	Synopsis
16	========
17
18	rssh and scponly do not filter command-line options that can be
19	exploited to execute any command, thereby allowing a remote user to
20	completely bypass the restricted shell.
21
22	Background
23	==========
24
25	rssh and scponly are two restricted shells, allowing only a few
26	predefined commands. They are often used as a complement to OpenSSH to
27	provide access to remote users without providing any remote execution
28	privileges.
29
30	Affected packages
31	=================
32
33	-------------------------------------------------------------------
34	Package / Vulnerable / Unaffected
35	-------------------------------------------------------------------
36	1 net-misc/scponly < 4.0 >= 4.0
37	2 app-shells/rssh <= 2.2.2 Vulnerable!
38	-------------------------------------------------------------------
39	NOTE: Certain packages are still vulnerable. Users should migrate
40	to another package if one is available or wait for the
41	existing packages to be marked stable by their
42	architecture maintainers.
43	-------------------------------------------------------------------
44	2 affected packages on all of their supported architectures.
45	-------------------------------------------------------------------
46
47	Description
48	===========
49
50	Jason Wies discovered that when receiving an authorized command from an
51	authorized user, rssh and scponly do not filter command-line options
52	that can be used to execute any command on the target host.
53
54	Impact
55	======
56
57	Using a malicious command, it is possible for a remote authenticated
58	user to execute any command (or upload and execute any file) on the
59	target machine with user rights, effectively bypassing any restriction
60	of scponly or rssh.
61
62	Workaround
63	==========
64
65	There is no known workaround at this time.
66
67	Resolution
68	==========
69
70	All scponly users should upgrade to the latest version:
71
72	# emerge --sync
73	# emerge --ask --oneshot --verbose ">=net-misc/scponly-4.0"
74
75	Currently, there is no released version of rssh that contains a fix for
76	these issues. The author declared that he cannot provide a fixed
77	version at this time. Therefore, the rssh package has been hard-masked
78	prior to complete removal from Portage, and current users are advised
79	to unmerge the package.
80
81	References
82	==========
83
84	[ 1 ] BugTraq Posting
85
86	http://www.securityfocus.com/archive/1/383046/2004-11-30/2004-12-06/0
87
88	Availability
89	============
90
91	This GLSA and any updates to it are available for viewing at
92	the Gentoo Security Website:
93
94	http://security.gentoo.org/glsa/glsa-200412-01.xml
95
96	Concerns?
97	=========
98
99	Security is a primary focus of Gentoo Linux and ensuring the
100	confidentiality and security of our users machines is of utmost
101	importance to us. Any security concerns should be addressed to
102	security@g.o or alternatively, you may file a bug at
103	http://bugs.gentoo.org.
104
105	License
106	=======
107
108	Copyright 2004 Gentoo Foundation, Inc; referenced text
109	belongs to its owner(s).
110
111	The contents of this document are licensed under the
112	Creative Commons - Attribution / Share Alike license.
113
114	http://creativecommons.org/licenses/by-sa/2.0