CVE-2023-38336: #1039689 - rsh-client: Command injection in netkit-rcp

Debian Bug report logs - #1039689
rsh-client: Command injection in netkit-rcp

Reply or subscribe to this bug.

Toggle useless messages

Report forwarded to debian-bugs-dist@lists.debian.org, Debian QA Group packages@qa.debian.org:
Bug#1039689; Package rsh-client. (Wed, 28 Jun 2023 08:06:03 GMT) (full text, mbox, link).

Acknowledgement sent to Jeffrey Bencteux jeffbencteux@gmail.com:
New Bug report received and forwarded. Copy sent to Debian QA Group packages@qa.debian.org. (Wed, 28 Jun 2023 08:06:03 GMT) (full text, mbox, link).

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

Package: rsh-client Version: 0.17-24 Severity: grave Tags: security

Dear Maintainer,

netkit-rcp, shipped for Debian in the rsh-client package (https://packages.debian.org/bookworm/rsh-client) is vulnerable to a command injection. I am reaching to you as I could not find the upstream URL of the developpers (I think the project may be unmaintained).

Moritz Mühlenhoff jmm@inutil.org confirmed there was no upstream for it

Details:

Tested on rsh-client version 0.17-24:

``` $ apt showsrc rsh-client Package: netkit-rsh Binary: rsh-client, rsh-server Version: 0.17-24 Maintainer: Debian QA Group packages@qa.debian.org […] ```

Any of the “fN” (files) or “directory” options of the netkit-rcp command line can be used to inject commands. Below is an example injecting a “whoami” command:

``` $ ltrace /usr/bin/netkit-rcp “test” “;whoami” getopt(3, 0x7ffd134ccc38, “dfprt”) = -1 getservbyname("shell", “tcp”) = 0x7f1846a37dc0 getuid() = 1000 getpwuid(1000, 0x7f18469f62ff, 0, 0x7f18469322f7) = 0x7f1846a36a00 snprintf("rcp", 64, "rcp%s%s%s", "", "", “”) = 3 signal(SIGPIPE, 0x55c473e09bbc) = 0 strlen(“test”) = 4 strlen(“;whoami”) = 7 malloc(38) = 0x55c47528fed0 snprintf("/bin/cp test ;whoami", 38, "%s%s%s %s %s", "/bin/cp", "", "", "test", “;whoami”) = 20 vfork(0x55c47528fed0, 0x55c473e0b14f, 0, 1) = 0x3967b2 signal(SIGINT, 0x1) = 0 signal(SIGQUIT, 0x1) = 0 wait(0x7ffd134cca40/bin/cp: missing destination file operand after ‘test’ Try ‘/bin/cp --help’ for more information. kali <== “whoami” result <no return …> — SIGCHLD (Child exited) — <… wait resumed> ) = 3762098 signal(SIGINT, 0) = 0x1 signal(SIGQUIT, 0) = 0x1 free(0x55c47528fed0) = <void> exit(0 <no return …> +++ exited (status 0) +++ ```

The faulty code is located in susystem() in rcp/rcp.c:

``` 412 static int 413 susystem(const char *s) 414 { 415 int status, pid, w; 416 sighandler istat, qstat; 417 418 if ((pid = vfork()) == 0) { 419 const char *args[4]; 420 const char **argsfoo; 421 char **argsbar; 422 if (setuid(userid)) { 423 fprintf(stderr, "rcp: child: setuid: %s\n", 424 strerror(errno)); 425 _exit(1); 426 } 427 args[0] = "sh"; 428 args[1] = "-c"; 429 args[2] = s; 430 args[3] = NULL; 431 /* Defeat C type system to permit passing char ** to execve */ 432 argsfoo = args; 433 memcpy(&argsbar, &argsfoo, sizeof(argsfoo)); 434 execve(_PATH_BSHELL, argsbar, saved_environ); 435 _exit(127); 436 }

```

A child process is executing “sh -c” (l.434) with no filtering of user input. Note that /usr/bin/netkit-rcp is a root SUID binary on Debian but that the above code drop privileges before executing the command, preventing privilege escalation (l. 422).

There still is a risk as an attacker able to manipulate filenames of either sources or destination could use it to execute arbitrary commands.

IMO the “sh -c” approach is bad and should be replaced with more secure API calls to execv("/bin/cp", args) or equivalent.

Best regards,

– System Information: Distributor ID: Kali Description: Kali GNU/Linux Rolling Release: 2022.3 Codename: kali-rolling Architecture: x86_64

Kernel: Linux 5.18.0-kali5-amd64 (SMP w/4 CPU threads; PREEMPT) Kernel taint flags: TAINT_UNSIGNED_MODULE Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), LANGUAGE not set Shell: /bin/sh linked to /usr/bin/dash Init: systemd (via /run/systemd/system) LSM: AppArmor: enabled

Versions of packages rsh-client depends on: ii libc6 2.36-4

rsh-client recommends no packages.

rsh-client suggests no packages.

– no debconf information

Send a report that this bug log contains spam.

Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Fri Jul 14 22:35:34 2023; Machine Name: bembo

Debian Bug tracking system

Debbugs is free software and licensed under the terms of the GNU Public License version 2. The current version can be obtained from https://bugs.debian.org/debbugs-source/.

Copyright © 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson, 2005-2017 Don Armstrong, and many other contributors.