CVE-2003-0954

Step 1: Input Preparation: The attacker crafts a malicious file path or filename containing a string designed to overflow a buffer within the rcp utility. This string is typically longer than the allocated buffer size.

Step 2: Payload Delivery: The attacker uses rcp to transfer the crafted file to the vulnerable AIX system. This can be done locally by creating a file with the malicious name and then using rcp to copy it to a different location on the same system.

Step 3: Buffer Overflow Trigger: When rcp processes the malicious file path or filename, the oversized string overwrites the allocated buffer.

Step 4: Control Hijack: The buffer overflow overwrites critical memory locations, including the return address on the stack. The attacker's crafted input includes the address of shellcode or a location that will execute attacker-controlled code.

Step 5: Code Execution: When the vulnerable function returns, it jumps to the attacker-controlled address. This allows the attacker to execute arbitrary code with the privileges of the rcp process, typically root.

The vulnerability lies within the rcp utility's handling of input data, specifically when processing file paths and filenames. The rcp program, when receiving a crafted input exceeding the allocated buffer size, fails to perform proper bounds checking. This leads to a buffer overflow, overwriting adjacent memory regions, including critical process data like the stack. By carefully crafting the malicious input, an attacker can overwrite the return address on the stack with the address of attacker-controlled code (e.g., shellcode). When the function returns, control is transferred to the attacker's code, granting them elevated privileges. The root cause is a lack of input validation and insufficient buffer size allocation within the rcp program.