Package: rush
Version: 1.7+dfsg-1
Severity: important
From the package description:
"GNU Rush is a restricted shell designed for sites providing only
limited access to resources for remote users".
Much like sudo the shell allows a configuration file to limit the
commands the user(s) are allowed to execute, and again like sudo
the main binary (/usr/sbin/rush) is installed setuid root.
Unfortunately the program suffers from the grave flaw that a
configuration file may be tested via the --lint option, and this
occurs prior to dropping any privileges. As the program is
setuid(root) any file on the system may be read.
Sample "exploit":
shelob ~ $ rush --lint /etc/shadow 2>&1| head -n 2
rush: Info: /etc/shadow:1: unknown statement:
root:$6$zwJQWKVo$../Wg.rwXXitSyS8/.../:15884:0:99999:7:::
rush: Info: /etc/shadow:2: unknown statement: daemon:*:15884:0:99999:7:::
As you can see the unrecognized content is shown to the user,
allowing the local user access to the file they otherwise couldn't
read. In this case setting up the system for a dictionary attack
against the password hashes.
Mitigating factors: Only the first whitespace-separated token
is shown to the user.
The identifier CVE-2013-6889 has been assigned to help track
this security problem across distributions and releases. Please
mention it when uploading a fixed package.
-- System Information:
Debian Release: 7.3
APT prefers stable-updates
APT policy: (500, 'stable-updates'), (500, 'stable')
Architecture: amd64 (x86_64)
Kernel: Linux 3.11.2 (SMP w/8 CPU cores)
Locale: LANG=en_US.UTF8, LC_CTYPE=en_US.UTF8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Versions of packages rush depends on:
ii libc6 2.13-38
rush recommends no packages.
Versions of packages rush suggests:
pn xinetd | inetutils-inetd <none>
-- no debconf information
--
To UNSUBSCRIBE, email to [email protected]
with a subject of "unsubscribe". Trouble? Contact [email protected]
