Package: ckermit Version: 416~beta12-1 Severity: grave Tags: security patch upstream Justification: user security hole X-Debbugs-Cc: Debian Security Team <[email protected]>
This security issue is a bit weird in that the behavior I'm covering here is somewhat documented and was an explicit choice by upstream Kermit authors some years back, which lingers today. (ckermit has been around since the 1980s and security expectations were different then) Kermit, in its default configuration, permits a remote system to make changes to, and retrieve data from, the local one. A malicious remote could damage the local system. This is roughly akin to connecting to a FTP server where the FTP server can also extract files from you, or change arbitrary files on your system, without your involvement. In the default configuration, a remote system can: - change the working directory on the local - overwrite files in the current working directory on the local - download any arbitrary file from the local system Of course, by replacing files like .bashrc or such, a malicious remote could easily cause malicious code to be executed on the local. Also, secret exfiltration is easily possible with this. This seems, to me, to be a pretty critical security issue. The components of it are somewhat documented in kermit help text. I will admit to writing some time back, at https://www.complete.org/kermit/, that "If you connect to untrusted remote systems, I recommend running disable all to prevent the remote from doing much to your local system other than sending files. For instance, rcd is enabled by default and allows the remote to change the directory for you to receive files." But I didn't go the step further to question why this should be so and think through the security process. A simple patch will prevent it. The normal mode of using kermit is to run the kermit command on your local system. Then, within kermit, you connect to a remote host in some way; perhaps with ssh, or maybe with a serial line or something. Then you can run kermit on the remote to interact with it. In some cases, in fact, the local kermit will automatically send "kermit -r" (when sending files to the remote) or "kermit -x" (when receiving files from the remote) to put the remote kermit in an appropriate receive or server mode. When kermit is in server mode, you can issue certain REMOTE commands to it. REMOTE CD, REMOTE DELETE, REMOTE SEND, etc. These are all fine in the usual case, where your local system is controlling a remote. Further detail: The remote system can send a series of bytes (actually a Kermit packet) that can put the local system into server mode also. This capability is typically used to automatically start a file transfer when you type "kermit -s filename" to the remote (or a similar SEND at a kermit prompt on the remote). This is governed by the SET TERMINAL AUTODOWNLOAD setting. The help text states: SET TERMINAL AUTODOWNLOAD { ON, OFF, ERROR { STOP, CONTINUE } } Enables/disables automatic switching into file-transfer mode when a valid Kermit or ZMODEM packet of the appropriate type is received during CONNECT mode. Default is OFF. When TERMINAL AUTODOWNLOAD is ON, the TERMINAL AUTODOWNLOAD ERROR setting tells what to do if an error occurs during a file transfer or other protocol operation initiated by the terminal emulator: STOP (the default) means to remain in command mode so you can see what happened; CONTINUE means to resume the CONNECT session (e.g. so a far-end script can continue its work). This is actually incorrect about the default; the default is ON, as SHOW TERMINAL shows "Autodownload: on, error stop". Autodownload doesn't just mean the system will automatically download a file; it means it can automatically enter server mode also. SET FILE COLLISION is set to BACKUP by default. This combines to make a nasty security situation. For instance, let's do a test. The user is sitting at keyboardhost and is logging in to remotehost. First, we'll prepare a test directory: jgoerzen@keyboardhost:/$ cd /tmp jgoerzen@keyboardhost:/tmp$ mkdir keyboardhosttest jgoerzen@keyboardhost:/tmp$ cd keyboardhosttest jgoerzen@keyboardhost:/tmp/keyboardhosttest$ echo 'Test file' > file1 jgoerzen@keyboardhost:/tmp/keyboardhosttest$ cd / Now, we'll fire up kermit and ssh to a remote: jgoerzen@keyboardhost:/$ kermit (/) C-Kermit>ssh remotehost jgoerzen@remotehost:~$ Now, we'll make a new test file: jgoerzen@remotehost:~$ cd /tmp jgoerzen@remotehost:/tmp$ echo 'Hi' > file1 And fire up kermit on the remote host, running inside the ssh session that is inside our local kermit: jgoerzen@remotehost:/tmp$ kermit (/tmp/) C-Kermit> Right now, our local kermit can't receive a bare file because its CWD is /, which it doesn't have permission for. We can, in fact, see this: (/tmp/) C-Kermit>pwd /tmp (/tmp/) C-Kermit>remote pwd Return to your local Kermit and give a SERVER command. KERMIT READY TO SEND SERVER COMMAND... ---------------------------------------------------- Entering server mode on ssh -e none remotehost Type Ctrl-C to quit. C-Kermit server done ---------------------------------------------------- / (/tmp/) C-Kermit> Now we can issue a command *ON REMOTEHOST* to change the directory on keyboardhost: (/tmp/) C-Kermit>remote cd /tmp/keyboardhosttest And now we can send our own file: (/tmp/) C-Kermit>send file1 Return to your local Kermit and give a RECEIVE command. KERMIT READY TO SEND... SENT: [/tmp/file1] To: [/tmp/keyboardhosttest/file1] (OK) In a new terminal window on the local machine, we see: jgoerzen@keyboardhost:~$ ls -l /tmp/keyboardhosttest/ total 2 -rw-r--r-- 1 jgoerzen jgoerzen 3 Dec 4 07:24 file1 -rw-rw-r-- 1 jgoerzen jgoerzen 10 Dec 4 07:22 file1.~1~ We have just allowed the remote machine to overwrite a file in an arbitrary location on the local machine. We can't delete it though: (/tmp/) C-Kermit>remote del test1 Return to your local Kermit and give a SERVER command. KERMIT READY TO SEND SERVER COMMAND... Entering server mode on ssh -e none remotehost Type Ctrl-C to quit. C-Kermit server done Even though this looks like it was successful, it wasn't. Can remotehost extract arbitrary files from keyboardhost? Yes, it turns out: (/tmp/) C-Kermit>get /bin/bash or (/tmp/) C-Kermit>remote cd /bin (/tmp/) C-Kermit>get bash both work. ckcmai.c defines: #ifndef NOSERVER /* Server services: 0 = disabled 1 = enabled in local mode 2 = enabled in remote mode 3 = enabled in both local and remote modes only as initial (default) values. */ int en_xit = 2; /* EXIT */ int en_cwd = 3; /* CD/CWD */ int en_cpy = 3; /* COPY */ int en_del = 2; /* DELETE */ int en_mkd = 3; /* MKDIR */ int en_rmd = 2; /* RMDIR */ int en_dir = 3; /* DIRECTORY */ int en_fin = 3; /* FINISH */ int en_get = 3; /* GET */ #ifndef NOPUSH int en_hos = 2; /* HOST enabled */ #else int en_hos = 0; /* HOST disabled */ #endif /* NOPUSH */ int en_ren = 3; /* RENAME */ int en_sen = 3; /* SEND */ int en_set = 3; /* SET */ int en_spa = 3; /* SPACE */ int en_typ = 3; /* TYPE */ int en_who = 3; /* WHO */ #ifdef datageneral /* Data General AOS/VS can't do this */ int en_bye = 0; /* BYE */ #else int en_bye = 2; /* PCs in local mode... */ #endif /* datageneral */ int en_asg = 3; /* ASSIGN */ int en_que = 3; /* QUERY */ int en_ret = 2; /* RETRIEVE */ int en_mai = 3; /* MAIL */ int en_pri = 3; /* PRINT */ int en_ena = 3; /* ENABLE */ #else int en_xit = 0, en_cwd = 0, en_cpy = 0, en_del = 0, en_mkd = 0, en_rmd = 0, en_dir = 0, en_fin = 0, en_get = 0, en_hos = 0, en_ren = 0, en_sen = 0, en_set = 0, en_spa = 0, en_typ = 0, en_who = 0, en_bye = 0, en_asg = 0, en_que = 0, en_ret = 0, en_mai = 0, en_pri = 0, en_ena = 0; #endif /* NOSERVER */ SHOW SERVER duplicates this: Function: Status: GET Enabled SEND Enabled MAIL Enabled PRINT Enabled REMOTE ASSIGN Enabled REMOTE CD/CWD Enabled REMOTE COPY Enabled REMOTE DELETE Remote only REMOTE DIRECTORY Enabled REMOTE HOST Remote only REMOTE QUERY Enabled REMOTE MKDIR Enabled REMOTE RMDIR Remote only REMOTE RENAME Enabled REMOTE SET Enabled REMOTE SPACE Enabled REMOTE TYPE Enabled REMOTE WHO Enabled BYE Remote only FINISH Enabled EXIT Remote only ENABLE Enabled keyboardhost can issue a "REMOTE DEL" to remotehost, but remotehost can't issue a "REMOTE DEL" to keyboardhost. So we can see that the remote system is able to control keyboardhost by issuing any command where the enable mode is 1 or 3 in ckcmai.c. Therefore, by changing these defaults, the issues can be mitigated. Note that "remote only" means the situation in which a kermit is in "remote server" mode. This would be the case for the system you have ssh'd to, not the local system you're sitting at. https://www.kermitproject.org/ckututor.html describes: "To upload files (send them from your desktop computer to the remote Unix computer) do the same thing, but use the -g (GET) option instead of -s on the remote computer: kermit -g somefile.txt . This causes your local Kermit to enter server mode; then the remote Kermit program requests the named file and the local Kermit sends it and returns automatically to Connect state when done. " https://www.columbia.edu/~fdc/misc/kermit-file-transfer-overview.html The attached patch adjusts these defaults. I have verified that the remote system can no longer control the local one in that way, but the local one can still control the remote one. This keeps all the usual use cases intact while avoiding a more complex fate with DISABLE ALL. The one that it might break is kermit -g filename, executed on the remote, which would normally cause the local system to transmit the given file. Of course, this is one of the most serious exfiltration risks. The same transfer can easily (actually, MORE easily) be initiated on the local system, without allowing the remote to have control, using the local SEND command, so this is hardly a regression. With the patch, SHOW SERVER now shows: Function: Status: GET Remote only SEND Remote only MAIL Remote only PRINT Remote only REMOTE ASSIGN Remote only REMOTE CD/CWD Remote only REMOTE COPY Remote only REMOTE DELETE Remote only REMOTE DIRECTORY Remote only REMOTE HOST Remote only REMOTE QUERY Remote only REMOTE MKDIR Remote only REMOTE RMDIR Remote only REMOTE RENAME Remote only REMOTE SET Remote only REMOTE SPACE Remote only REMOTE TYPE Remote only REMOTE WHO Remote only BYE Remote only FINISH Remote only EXIT Remote only ENABLE Remote only A remote can still initiate a transfer to the local and give a filename to save it in. This patch also disables the default "collision" mode, which allows the remote to overwrite a local file (and renames the original local file). There may still be some reason for concern for allowing the remote to place a file with an arbitrary name in the local's CWD, but this is also the behavior for zmodem (in lrzsz), and some CLI HTTP clients that follow redirects and use the resulting name for the local. It may not be ideal but it seems to match the generally expected behavior. -- System Information: Debian Release: 13.2 APT prefers stable-updates APT policy: (500, 'stable-updates'), (500, 'stable-security'), (500, 'stable') Architecture: amd64 (x86_64) Kernel: Linux 6.12.57+deb13-amd64 (SMP w/16 CPU threads; PREEMPT) Kernel taint flags: TAINT_PROPRIETARY_MODULE, TAINT_OOT_MODULE, TAINT_UNSIGNED_MODULE Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), LANGUAGE not set Shell: /bin/sh linked to /usr/bin/dash Init: systemd (via /run/systemd/system) LSM: AppArmor: enabled Versions of packages ckermit depends on: ii debconf [debconf-2.0] 1.5.91 ii libc6 2.41-12 ii libncurses6 6.5+20250216-2 ii libpam0g 1.7.0-5 ii libssl3t64 3.5.4-1~deb13u1 ii libtinfo6 6.5+20250216-2 Versions of packages ckermit recommends: ii openssh-client [ssh-client] 1:10.0p1-7 Versions of packages ckermit suggests: pn openbsd-inetd | inet-superserver <none> -- debconf information excluded
commit dc4be0e1d17c674df976dd41c6fa381c767aa76d Author: John Goerzen <[email protected]> Date: Thu Dec 4 07:46:09 2025 -0600 Work around security issues Disable insecure remote commands for local users Also reject overwrites by default diff --git a/ckcmai.c b/ckcmai.c index a84b9cb..39a5049 100644 --- a/ckcmai.c +++ b/ckcmai.c @@ -724,7 +724,7 @@ struct ck_p ptab[NPROTOS] = { /* Initialize the Kermit part ... */ #ifdef VMS /* Default filename collision action */ XYFX_X, /* REPLACE for VAX/VMS */ #else - XYFX_B, /* BACKUP for everybody else */ + XYFX_D, /* REJECT for everybody else */ #endif /* VMS */ #ifdef OS2 /* Flag for file name conversion */ @@ -1574,37 +1574,37 @@ char * remdest = NULL; only as initial (default) values. */ int en_xit = 2; /* EXIT */ -int en_cwd = 3; /* CD/CWD */ -int en_cpy = 3; /* COPY */ +int en_cwd = 2; /* CD/CWD */ +int en_cpy = 2; /* COPY */ int en_del = 2; /* DELETE */ -int en_mkd = 3; /* MKDIR */ +int en_mkd = 2; /* MKDIR */ int en_rmd = 2; /* RMDIR */ -int en_dir = 3; /* DIRECTORY */ -int en_fin = 3; /* FINISH */ -int en_get = 3; /* GET */ +int en_dir = 2; /* DIRECTORY */ +int en_fin = 2; /* FINISH */ +int en_get = 2; /* GET */ #ifndef NOPUSH int en_hos = 2; /* HOST enabled */ #else int en_hos = 0; /* HOST disabled */ #endif /* NOPUSH */ -int en_ren = 3; /* RENAME */ -int en_sen = 3; /* SEND */ -int en_set = 3; /* SET */ -int en_spa = 3; /* SPACE */ -int en_typ = 3; /* TYPE */ -int en_who = 3; /* WHO */ +int en_ren = 2; /* RENAME */ +int en_sen = 2; /* SEND */ +int en_set = 2; /* SET */ +int en_spa = 2; /* SPACE */ +int en_typ = 2; /* TYPE */ +int en_who = 2; /* WHO */ #ifdef datageneral /* Data General AOS/VS can't do this */ int en_bye = 0; /* BYE */ #else int en_bye = 2; /* PCs in local mode... */ #endif /* datageneral */ -int en_asg = 3; /* ASSIGN */ -int en_que = 3; /* QUERY */ +int en_asg = 2; /* ASSIGN */ +int en_que = 2; /* QUERY */ int en_ret = 2; /* RETRIEVE */ -int en_mai = 3; /* MAIL */ -int en_pri = 3; /* PRINT */ -int en_ena = 3; /* ENABLE */ +int en_mai = 2; /* MAIL */ +int en_pri = 2; /* PRINT */ +int en_ena = 2; /* ENABLE */ #else int en_xit = 0, en_cwd = 0, en_cpy = 0, en_del = 0, en_mkd = 0, en_rmd = 0, en_dir = 0, en_fin = 0, en_get = 0, en_hos = 0, en_ren = 0, en_sen = 0, diff --git a/ckuus2.c b/ckuus2.c index 3e8bd45..cc3da82 100644 --- a/ckuus2.c +++ b/ckuus2.c @@ -4138,12 +4138,12 @@ static char *hmxyf[] = { "SET FILE COLLISION option", " Tells what to do when a file arrives that has the same name as", " an existing file. The options are:", -" BACKUP (default) - Rename the old file to a new, unique name and store", +" BACKUP - Rename the old file to a new, unique name and store", " the incoming file under the name it was sent with.", " OVERWRITE - Overwrite (replace) the existing file; doesn't work for", " a Kermit server unless you also tell it to ENABLE DELETE.", " APPEND - Append the incoming file to the end of the existing file.", -" REJECT - Refuse and/or discard the incoming file (= DISCARD).", +" REJECT (default) - Refuse and/or discard the incoming file (= DISCARD).", " RENAME - Give the incoming file a unique name.", " UPDATE - Accept the incoming file only if newer than the existing file.", " ", @@ -7929,7 +7929,7 @@ static char *hxyterm[] = { "SET TERMINAL AUTODOWNLOAD { ON, OFF, ERROR { STOP, CONTINUE } }", " enables/disables automatic switching into file-transfer mode when a Kermit", " or ZMODEM file transfer has been detected during CONNECT mode or while", -" an INPUT command is active. Default is OFF.", +" an INPUT command is active. Default is ON.", #else "SET TERMINAL AUTODOWNLOAD { ON, OFF, ERROR { STOP, CONTINUE } }", " enables/disables automatic switching into file-transfer mode when a Kermit",
