rsh-client: CVE-2023-38336: Command injection in netkit-rcp

Debian Bug report logs - #1039689
rsh-client: CVE-2023-38336: Command injection in netkit-rcp

Reply or subscribe to this bug.

Toggle useless messages

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Jeffrey Bencteux <jeffbencteux@gmail.com>

To: Debian Bug Tracking System <submit@bugs.debian.org>

Subject: rsh-client: Command injection in netkit-rcp

Date: Wed, 28 Jun 2023 10:03:15 +0200

Package: rsh-client
Version: 0.17-24
Severity: grave
Tags: security

Dear Maintainer,

netkit-rcp, shipped for Debian in the rsh-client package (https://packages.debian.org/bookworm/rsh-client) is vulnerable to a command injection. I am
reaching to you as I could not find the upstream URL of the developpers (I think the project may be unmaintained).

Moritz Mühlenhoff <jmm@inutil.org> confirmed there was no upstream for it

Details:

Tested on rsh-client version 0.17-24:

```
$ apt showsrc rsh-client
Package: netkit-rsh
Binary: rsh-client, rsh-server
Version: 0.17-24
Maintainer: Debian QA Group <packages@qa.debian.org>
[...]
```

Any of the "fN" (files) or "directory" options of the netkit-rcp command line can be used to inject commands. Below is an example injecting a
"whoami" command:

```
$ ltrace /usr/bin/netkit-rcp "test" ";whoami"
getopt(3, 0x7ffd134ccc38, "dfprt")                                                                                   = -1
getservbyname("shell", "tcp")                                                                                        = 0x7f1846a37dc0
getuid()                                                                                                             = 1000
getpwuid(1000, 0x7f18469f62ff, 0, 0x7f18469322f7)                                                                    = 0x7f1846a36a00
snprintf("rcp", 64, "rcp%s%s%s", "", "", "")                                                                         = 3
signal(SIGPIPE, 0x55c473e09bbc)                                                                                      = 0
strlen("test")                                                                                                       = 4
strlen(";whoami")                                                                                                    = 7
malloc(38)                                                                                                           = 0x55c47528fed0
snprintf("/bin/cp test ;whoami", 38, "%s%s%s %s %s", "/bin/cp", "", "", "test", ";whoami")                           = 20
vfork(0x55c47528fed0, 0x55c473e0b14f, 0, 1)                                                                          = 0x3967b2
signal(SIGINT, 0x1)                                                                                                  = 0
signal(SIGQUIT, 0x1)                                                                                                 = 0
wait(0x7ffd134cca40/bin/cp: missing destination file operand after 'test'
Try '/bin/cp --help' for more information.
kali																				<== "whoami" result
 <no return ...>
--- SIGCHLD (Child exited) ---
<... wait resumed> )                                                                                                 = 3762098
signal(SIGINT, 0)                                                                                                    = 0x1
signal(SIGQUIT, 0)                                                                                                   = 0x1
free(0x55c47528fed0)                                                                                                 = <void>
exit(0 <no return ...>
+++ exited (status 0) +++
```

The faulty code is located in susystem() in rcp/rcp.c:

```
    412 static int
    413 susystem(const char *s)
    414 {
    415         int status, pid, w;
    416         sighandler istat, qstat;
    417
    418         if ((pid = vfork()) == 0) {
    419                 const char *args[4];
    420                 const char **argsfoo;
    421                 char **argsbar;
    422                 if (setuid(userid)) {
    423                         fprintf(stderr, "rcp: child: setuid: %s\n",
    424                                 strerror(errno));
    425                         _exit(1);
    426                 }
    427                 args[0] = "sh";
    428                 args[1] = "-c";
    429                 args[2] = s;
    430                 args[3] = NULL;
    431                 /* Defeat C type system to permit passing char ** to execve */
    432                 argsfoo = args;
    433                 memcpy(&argsbar, &argsfoo, sizeof(argsfoo));
    434                 execve(_PATH_BSHELL, argsbar, saved_environ);
    435                 _exit(127);
    436         }

```

A child process is executing "sh -c" (l.434) with no filtering of user input. Note that /usr/bin/netkit-rcp is a root SUID binary on Debian but that the
above code drop privileges before executing the command, preventing privilege escalation (l. 422).

There still is a risk as an attacker able to manipulate filenames of either sources or destination could use it to execute arbitrary commands.

IMO the "sh -c" approach is bad and should be replaced with more secure API calls to execv("/bin/cp", args) or equivalent.

Best regards,

-- System Information:
Distributor ID:	Kali
Description:	Kali GNU/Linux Rolling
Release:	2022.3
Codename:	kali-rolling
Architecture: x86_64

Kernel: Linux 5.18.0-kali5-amd64 (SMP w/4 CPU threads; PREEMPT)
Kernel taint flags: TAINT_UNSIGNED_MODULE
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), LANGUAGE not set
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled

Versions of packages rsh-client depends on:
ii  libc6  2.36-4

rsh-client recommends no packages.

rsh-client suggests no packages.

-- no debconf information

Send a report that this bug log contains spam.