Package: rssh Version: 2.3.4-8 Severity: grave Tags: security upstream https://sourceforge.net/p/rssh/mailman/message/36519118/ is the upstream report. The reporter indicated they asked for a CVE but didn't include it in the message.
scp allows remote code execution inside the server environment via several methods due to inadequate command-line verification. This bug has been present since the beginning of rssh. I have a completely untested patch but haven't had time to test it yet. Attaching it to this report for whatever it's worth. -- System Information: Debian Release: buster/sid APT prefers testing APT policy: (990, 'testing'), (500, 'unstable'), (1, 'experimental') Architecture: amd64 (x86_64) Kernel: Linux 4.19.0-1-amd64 (SMP w/4 CPU cores) Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), LANGUAGE=en_US.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Init: systemd (via /run/systemd/system) LSM: AppArmor: enabled Versions of packages rssh depends on: ii debconf [debconf-2.0] 1.5.69 ii libc6 2.28-4 ii openssh-server 1:7.9p1-4 rssh recommends no packages. Versions of packages rssh suggests: ii cvs 2:1.12.13+real-26 pn makejail <none> pn rdist <none> ii rsync 3.1.3-1 ii subversion 1.10.3-1+b1 -- Configuration Files: /etc/logcheck/ignore.d.server/rssh [Errno 13] Permission denied: '/etc/logcheck/ignore.d.server/rssh' /etc/rssh.conf changed [not included] -- debconf information excluded
diff --git a/util.c b/util.c index 56f67ad..4dde1a0 100644 --- a/util.c +++ b/util.c @@ -268,6 +268,45 @@ static int rsync_e_okay( char **vec ) } +/* + * scp_okay() - take the command line and check that it is a hopefully-safe scp + * server command line, accepting only very specific options. + * Returns FALSE if the command line should not be allowed, TRUE + * if it is okay. + */ +static int scp_okay( char **vec ) +{ + int saw_file = FALSE; + int saw_end = FALSE; + + for ( ; vec && *vec; vec++ ){ + /* Allowed options. */ + if ( !saw_end ) { + if ( strcmp(*vec, "-v") == 0 ) continue; + if ( strcmp(*vec, "-r") == 0 ) continue; + if ( strcmp(*vec, "-p") == 0 ) continue; + if ( strcmp(*vec, "-d") == 0 ) continue; + if ( strcmp(*vec, "-f") == 0 ) continue; + if ( strcmp(*vec, "-t") == 0 ) continue; + } + + /* End of arguments. One more argument allowed after this. */ + if ( !saw_end && strcmp(*vec, "--") == 0 ){ + saw_end = TRUE; + continue; + } + + /* No other options allowed, but allow file starting with -. */ + if ( *vec[0] == '-' && !saw_end ) return FALSE; + if ( saw_file ) return FALSE; + saw_file = TRUE; + } + + /* We must have seen a single file. */ + return saw_file; +} + + /* * check_command_line() - take the command line passed to rssh, and verify * that the specified command is one the user is @@ -283,8 +322,11 @@ char *check_command_line( char **cl, ShellOptions_t *opts ) return PATH_SFTP_SERVER; if ( check_command(*cl, opts, PATH_SCP, RSSH_ALLOW_SCP) ){ - /* filter -S option */ - if ( opt_filter(cl, 'S') ) return NULL; + if ( !scp_okay(cl) ){ + fprintf(stderr, "\ninsecure scp option not allowed."); + log_msg("insecure scp option in scp command line"); + return NULL; + } return PATH_SCP; }