Vulnerability in rcp on SunOS 4.0.x allows remote attackers from trusted hosts to execute arbitrary commands as root, possibly related to the configuration of the nobody user.
SunOS 4.0.x's rcp (remote copy) utility suffers from a critical vulnerability allowing remote attackers from trusted hosts to gain root privileges. This flaw, stemming from improper handling of user permissions, enables arbitrary command execution, posing a significant risk to system integrity and data confidentiality. This vulnerability is extremely old, but understanding it provides valuable insight into historical security flaws and the importance of secure coding practices.
Step 1: Trust Establishment: The attacker must be on a host that is considered 'trusted' by the target system. This trust is typically established via entries in .rhosts or /etc/hosts.equiv files on the target system, or through DNS spoofing.
Step 2: Exploit Trigger: The attacker initiates an rcp command from the trusted host to the vulnerable SunOS 4.0.x system, potentially targeting a specific file or directory.
Step 3: Command Injection (Likely): The attacker crafts a malicious rcp command that exploits a flaw in how rcp handles file paths, user permissions, or command execution. This could involve injecting shell commands into the file transfer process.
Step 4: Privilege Escalation: The injected command is executed with the privileges of the user that rcp is running as, which, due to the vulnerability, results in the command being executed as root. This could be due to a misconfiguration of the nobody user or other permission issues.
Step 5: Arbitrary Command Execution: The attacker's injected command executes, granting them root access to the target system.
The vulnerability lies within the rcp implementation on SunOS 4.0.x, specifically related to how it handles user authentication and permission checks when copying files. The root cause is likely a combination of factors, including:
.rhosts or /etc/hosts.equiv files for authentication, which inherently trusts hosts listed within them, without robust validation.nobody user or other permission checks during the file transfer process.