I have found/validated a vulnerability described in rcp-writeup.md. I have supplied the PoC.py in two forms. Both are attached in compressed zip.
Summary
rcp's receive path (sink()) concatenates the server-supplied filename directly
into the local destination path without any validation:
/* src/rcp.c:1011-1017 */
need = strlen (targ) + strlen (cp) + 250;
if (need > cursize)
{
if (!(namebuf = malloc (need)))
run_err ("%s", strerror (errno));
}
snprintf (namebuf, need, "%s%s%s", targ, *targ ? "/" : "", cp);
cp points into the wire-protocol record and is never checked for ../ or
embedded /. A malicious or MITM'd server sends a C record whose filename
escapes the target directory:
C0644 34 ../evil.txt\n
rcp opens and writes the file at the resolved path — silently, no error.
DeFrancesco, Joey
[email protected]
MIT Lincoln Labs – Cyber Physical Systems
<<attachment: rcp.zip>>
