Package: rssh
Version: 2.3.4-8
Severity: grave
Tags: security upstream
https://sourceforge.net/p/rssh/mailman/message/36519118/ is the upstream
report. The reporter indicated they asked for a CVE but didn't include it
in the message.
scp allows remote code execution inside the server environment via several
methods due to inadequate command-line verification. This bug has been
present since the beginning of rssh.
I have a completely untested patch but haven't had time to test it yet.
Attaching it to this report for whatever it's worth.
-- System Information:
Debian Release: buster/sid
APT prefers testing
APT policy: (990, 'testing'), (500, 'unstable'), (1, 'experimental')
Architecture: amd64 (x86_64)
Kernel: Linux 4.19.0-1-amd64 (SMP w/4 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8),
LANGUAGE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled
Versions of packages rssh depends on:
ii debconf [debconf-2.0] 1.5.69
ii libc6 2.28-4
ii openssh-server 1:7.9p1-4
rssh recommends no packages.
Versions of packages rssh suggests:
ii cvs 2:1.12.13+real-26
pn makejail <none>
pn rdist <none>
ii rsync 3.1.3-1
ii subversion 1.10.3-1+b1
-- Configuration Files:
/etc/logcheck/ignore.d.server/rssh [Errno 13] Permission denied:
'/etc/logcheck/ignore.d.server/rssh'
/etc/rssh.conf changed [not included]
-- debconf information excluded
diff --git a/util.c b/util.c
index 56f67ad..4dde1a0 100644
--- a/util.c
+++ b/util.c
@@ -268,6 +268,45 @@ static int rsync_e_okay( char **vec )
}
+/*
+ * scp_okay() - take the command line and check that it is a hopefully-safe scp
+ * server command line, accepting only very specific options.
+ * Returns FALSE if the command line should not be allowed, TRUE
+ * if it is okay.
+ */
+static int scp_okay( char **vec )
+{
+ int saw_file = FALSE;
+ int saw_end = FALSE;
+
+ for ( ; vec && *vec; vec++ ){
+ /* Allowed options. */
+ if ( !saw_end ) {
+ if ( strcmp(*vec, "-v") == 0 ) continue;
+ if ( strcmp(*vec, "-r") == 0 ) continue;
+ if ( strcmp(*vec, "-p") == 0 ) continue;
+ if ( strcmp(*vec, "-d") == 0 ) continue;
+ if ( strcmp(*vec, "-f") == 0 ) continue;
+ if ( strcmp(*vec, "-t") == 0 ) continue;
+ }
+
+ /* End of arguments. One more argument allowed after this. */
+ if ( !saw_end && strcmp(*vec, "--") == 0 ){
+ saw_end = TRUE;
+ continue;
+ }
+
+ /* No other options allowed, but allow file starting with -. */
+ if ( *vec[0] == '-' && !saw_end ) return FALSE;
+ if ( saw_file ) return FALSE;
+ saw_file = TRUE;
+ }
+
+ /* We must have seen a single file. */
+ return saw_file;
+}
+
+
/*
* check_command_line() - take the command line passed to rssh, and verify
* that the specified command is one the user is
@@ -283,8 +322,11 @@ char *check_command_line( char **cl, ShellOptions_t *opts )
return PATH_SFTP_SERVER;
if ( check_command(*cl, opts, PATH_SCP, RSSH_ALLOW_SCP) ){
- /* filter -S option */
- if ( opt_filter(cl, 'S') ) return NULL;
+ if ( !scp_okay(cl) ){
+ fprintf(stderr, "\ninsecure scp option not allowed.");
+ log_msg("insecure scp option in scp command line");
+ return NULL;
+ }
return PATH_SCP;
}
