Secunia Security Advisory - Two vulnerabilities have been reported in scponly, which can be exploited by malicious, local users to gain escalated privileges, or by malicious users to bypass certain security restrictions.
c1d145cea2915619715090e56c11923f3ed8aae5c2436cabb286723feba255da
TITLE:
scponly Privilege Escalation and Security Bypass Vulnerabilities
SECUNIA ADVISORY ID:
SA18223
VERIFY ADVISORY:
http://secunia.com/advisories/18223/
CRITICAL:
Less critical
IMPACT:
Security Bypass, Privilege escalation
WHERE:
>From remote
SOFTWARE:
scponly 3.x
http://secunia.com/product/4357/
scponly 4.x
http://secunia.com/product/6662/
DESCRIPTION:
Two vulnerabilities have been reported in scponly, which can be
exploited by malicious, local users to gain escalated privileges, or
by malicious users to bypass certain security restrictions.
1) A design error in "scponlyc" allows it to be used with arbitrary
chroot directories that local users create in their home directories.
This can be exploited by malicious users to gain escalated privileges
by creating a hardlink to a setuid root binary in their own chroot
directory, configuring LD_PRELOAD to overload a call to setuid with a
malicious function, and then using "scponlyc" with the malicious
chroot directory.
Successful exploitation allows local privilege escalation but
requires that the chrooted setuid "scponlyc" binary is installed, a
user executable setuid binary exists on the same file system mount as
the user's home directory, and the OS supports LD_PRELOAD.
2) An error exists in the validation of user supplied command line.
This can be exploited to supply additional command line arguments to
rsync or scp, potentially bypassing the restricted shell and allowing
the execution of arbitrary programs.
Successful exploitation requires that scp and rsync compatibility is
enabled.
The vulnerabilities have been reported in version 4.1 and prior.
SOLUTION:
Update to version 4.2.
http://sublimation.org/scponly/
PROVIDED AND/OR DISCOVERED BY:
1) Max Vozeler
2) Pekka Pessi
ORIGINAL ADVISORY:
http://sublimation.org/scponly/#relnotes
----------------------------------------------------------------------
About:
This Advisory was delivered by Secunia as a free service to help
everybody keeping their systems up to date against the latest
vulnerabilities.
Subscribe:
http://secunia.com/secunia_security_advisories/
Definitions: (Criticality, Where etc.)
http://secunia.com/about_secunia_advisories/
Please Note:
Secunia recommends that you verify all advisories you receive by
clicking the link.
Secunia NEVER sends attached files with advisories.
Secunia does not advise people to install third party patches, only
use those supplied by the vendor.
----------------------------------------------------------------------