Bug 1677794 - CVE-2019-6111 affects krb5-appl kerberized rcp
Summary: CVE-2019-6111 affects krb5-appl kerberized rcp
Keywords:
Status: NEW
Alias: None
Product: softwarecollections.org
Classification: Community
Component: Other
Version: 1.0
Hardware: All
OS: All
unspecified
medium
Target Milestone: ---
Assignee: Honza Horak
QA Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2019-02-15 22:05 UTC by Vern Staats
Modified: 2019-02-18 15:58 UTC (History)
2 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed:


Attachments (Terms of Use)
Response from MITRE to my request to add this info to CVE-2019-611 (2.96 KB, message/rfc822)
2019-02-15 22:05 UTC, Vern Staats
no flags Details

Description Vern Staats 2019-02-15 22:05:49 UTC
Created attachment 1535343 [details]
Response from MITRE to my request to add this info to CVE-2019-611

Description of problem:
krb5-appl rcp has the same CVE-2019-6111 vulnerability as openssh scp.
I reported this to krbcore-security@mit.edu; they consider this package end-of-life / unsupported.
I have a PoC exploit and partial mitigation patches for src/krb5-appl-1.0.1/bsd/krcp.c

Version-Release number of selected component (if applicable):
krb5-appl-1.0.1-7.el6
krb5-appl-1.0.1-7.el6_2.1.src.rpm

How reproducible:
Always.

Steps to Reproduce:
1.  Apply patch krb5-appl-2019-6111-poc.diff (available on request)
2.  Run kshd with now-evil rcp
3.1  rcp remote-host:test.txt .
3.2  rcp remote-host:dirtest.txt .

Actual results:
3.1  mode 0755 ./.badrcp.rc with nc | bash script.
3.2  mode 0755 /tmp/.badrcp.rc with same remote access script.

Expected results:
Requested file, or nothing if remote file non-existant.

Additional info:
My first report to bugzilla.redhat.com, apologies for any mistakes.  Not sure how you wanted "Product / Component" categorised.  The affected package is available at
http://ftp.redhat.com/pub/redhat/linux/enterprise/6Client/en/os/SRPMS/krb5-appl-1.0.1-7.el6_2.1.src.rpm


Note You need to log in before you can comment on or make changes to this bug.