Note: This is an archival copy of Security Sun Alert 201349 as previously published on http://sunsolve.sun.com.
Latest version of this security advisory is available from http://support.oracle.com as Sun Alert 1001022.1.
Article ID : 1001022.1
Article Type : Sun Alerts (SURE)
Last reviewed : 2007-07-09
Audience : PUBLIC
Copyright Notice: Copyright © 2010, Oracle Corporation and/or its affiliates.

Security Vulnerability in the rcp(1) Command May Allow Execution of Unintended Commands



Category
Security

Release Phase
Resolved

Product
Solaris 9 Operating System
Solaris 10 Operating System
Solaris 8 Operating System

Bug Id
6473508

Date of Resolved Release
10-JUL-2007

Impact

A security vulnerability in the way the rcp(1) command invokes helper applications may allow a local unprivileged user (or a remote user in the case of shared filesystems) to create files with specially crafted file names which could lead to the execution of arbitrary commands with the privileges of a local user when that local user executes the rcp(1) command on the specially crafted file names.

Note: The scp(1) utility is also affected by this issue which is described in the following documents:

CVE-2006-0225 at: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-0225

Sun Alert 102961


Contributing Factors

This issue can occur in the following releases:

SPARC Platform

  • Solaris 8 without patches 110670-04 and 114669-04
  • Solaris 9 without patch 114716-05
  • Solaris 10 without patch 121132-03

x86 Platform

  • Solaris 8 without patches 110671-04 and 114670-04
  • Solaris 9 without patch 114717-05
  • Solaris 10 without patch 125794-02

Symptoms

There are no predictable symptoms that would indicate the described issue has been exploited to execute arbitrary commands.


Workaround

This issue will only occur if the rcp(1) command is executed on files that have specially crafted file names. Therefore, it may be possible to work around this issue by avoiding the use of the rcp(1) command on untrusted file names, for example, in directories that are writable by untrusted users.


Resolution

This issue is addressed in the following releases:

SPARC Platform

  • Solaris 8 with patches 110670-04 and 114669-04 or later
  • Solaris 9 with patch 114716-05 or later
  • Solaris 10 with patch 121132-03 or later

x86 Platform

  • Solaris 8 with patches 110671-04 and 114670-04 or later
  • Solaris 9 with patch 114717-05 or later
  • Solaris 10 with patch 125794-02 or later


References

114716-05
114717-05
121132-03
125794-02
110670-04
110671-04
114669-04
114670-04




Attachments
This solution has no attachment