Russ Allbery <[email protected]> writes:
> + for ( ; vec && *vec; vec++ ){
At least one bug: this needs to be
for ( vec++; vec && *vec; vec++ ){
since the first argument is "scp".
I suspect that the rsync protocol is also vulnerable to a version of this
same bug if .ssh/config is writable and is used as the ssh client path and
the ssh binary is available on the server side, by sending an rsync
command that tries to copy a file to localhost: similar to your second
attack example. I believe tightening rssh's check that the rsync command
line starts with --server would address that, since I think (but haven't
confirmed) that will disable remote copies.
It seems likely that there's some way of abusing cvs as well, given its
huge command surface.
--
Russ Allbery ([email protected]) <http://www.eyrie.org/~eagle/>
_______________________________________________
rssh-discuss mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/rssh-discuss
