• Product Information
• Security Products Overview
• Juniper Networks ISG Series
• IDP Demo
• Product Poster & Z-Card 

Title: RCP Shell Utility Arbitrary Command Execution Vulnerability

Severity: HIGH

Description:

RCP is a shell utility for copying files from one computer to another.

RCP is prone to an arbitrary command-execution vulnerability because it fails to properly sanitize user-supplied input before using it in a 'system()' function call.

If RCP is used in an all-local or an all-remote fashion, it uses the 'system()' function to execute either a local copy operation or a remote connection followed by a local copy operation. When using the 'system()' function, a shell is spawned to process the arguments. If filenames are created that contain shell metacharacters, the shell will process them during the 'system()' call. Attackers can create files with names that contain shell metacharacters along with commands to be executed. If a user then uses RCP to copy these files (likely during bulk copy operations involving wildcards), then the attacker-supplied commands will be executed with the privileges of the user running RCP.

Exploiting this issue allows attackers to execute arbitrary shell commands with the privileges of users executing a vulnerable version of RCP.

NOTE: OpenSSH SCP is a fork of RCP and is known to also be affected by this issue.

Affected Products:

• Apple Mac OS X 10.3.9
• Apple Mac OS X 10.4.0
• Apple Mac OS X 10.4.1
• Apple Mac OS X 10.4.2
• Apple Mac OS X 10.4.3
• Apple Mac OS X 10.4.4
• Apple Mac OS X 10.4.5
• Apple Mac OS X 10.4.6
• Apple Mac OS X 10.4.7
• Apple Mac OS X 10.4.8
• Apple Mac OS X Server 10.3.9
• Apple Mac OS X Server 10.4.0
• Apple Mac OS X Server 10.4.1
• Apple Mac OS X Server 10.4.2
• Apple Mac OS X Server 10.4.3
• Apple Mac OS X Server 10.4.4
• Apple Mac OS X Server 10.4.5
• Apple Mac OS X Server 10.4.6
• Apple Mac OS X Server 10.4.7
• Apple Mac OS X Server 10.4.8
• Avaya CMS Server 12.0.0
• Avaya CMS Server 13.0.0
• Avaya CMS Server 13.1
• Avaya CMS Server 14.0
• Avaya CVLAN
• Avaya DefinityOne Media Servers
• Avaya DefinityOne Media Servers R10
• Avaya DefinityOne Media Servers R11
• Avaya DefinityOne Media Servers R12
• Avaya DefinityOne Media Servers R6
• Avaya DefinityOne Media Servers R7
• Avaya DefinityOne Media Servers R8
• Avaya DefinityOne Media Servers R9
• Avaya G700 Media Gateway 3.0.0
• Avaya Integrated Management
• Avaya Integrated Management 2.1.0
• Avaya Interactive Response
• Avaya Interactive Response 1.2.1
• Avaya Interactive Response 1.3.0
• Avaya Interactive Response 2.0
• Avaya Predictive Dialer
• Avaya Predictive Dialing System (PDS) 11.0.0
• Avaya Predictive Dialing System (PDS) 11.11
• Conectiva Linux 10.0.0
• Easy Software Products CUPS 1.1.20
• Gentoo net-misc/dropbear 0.47
• Gentoo net-misc/openssh 4.2
• HP HP-UX B.11.11
• HP HP-UX B.11.23
• IBM Hardware Management Console (HMC) 5.2.1
• Linux kernel 2.4.19
• Linux kernel 2.4.21
• Linux kernel 2.6.5
• MandrakeSoft Corporate Server 3.0.0
• MandrakeSoft Corporate Server 3.0.0 x86_64
• MandrakeSoft Linux Mandrake 10.1.0
• MandrakeSoft Linux Mandrake 10.1.0 x86_64
• MandrakeSoft Linux Mandrake 10.2.0
• MandrakeSoft Linux Mandrake 10.2.0 x86_64
• MandrakeSoft Linux Mandrake 2006.0.0
• MandrakeSoft Linux Mandrake 2006.0.0 x86_64
• MandrakeSoft Multi Network Firewall 2.0.0
• Microsoft Windows 2000 Server
• Microsoft Windows NT Server 4.0 SP6a
• OpenBSD OpenSSH 4.2p1
• OpenPKG OpenPKG 2.3.0
• OpenPKG OpenPKG 2.4.0
• OpenPKG OpenPKG 2.5.0
• RedHat Advanced Workstation for the Itanium Processor 2.1.0
• RedHat Desktop 3.0.0
• RedHat Desktop 4.0.0
• RedHat Enterprise Linux AS 2.1
• RedHat Enterprise Linux AS 3
• RedHat Enterprise Linux AS 4
• RedHat Enterprise Linux ES 2.1
• RedHat Enterprise Linux ES 3
• RedHat Enterprise Linux ES 4
• RedHat Enterprise Linux WS 2.1
• RedHat Enterprise Linux WS 3
• RedHat Enterprise Linux WS 4
• RedHat Fedora Core1
• RedHat Fedora Core2
• RedHat Fedora Core3
• RedHat Fedora Core4
• RedHat Linux 7.3.0 i386
• RedHat Linux 9.0.0 i386
• S.u.S.E. Linux Desktop 1.0.0
• S.u.S.E. Linux Enterprise Server 8
• S.u.S.E. Linux Enterprise Server 9
• S.u.S.E. Linux Personal 10.0.0 OSS
• S.u.S.E. Linux Personal 9.1.0
• S.u.S.E. Linux Personal 9.1.0 x86_64
• S.u.S.E. Linux Personal 9.2.0
• S.u.S.E. Linux Personal 9.2.0 x86_64
• S.u.S.E. Linux Personal 9.3.0
• S.u.S.E. Linux Personal 9.3.0 x86_64
• S.u.S.E. Linux Professional 10.0.0 OSS
• S.u.S.E. Linux Professional 9.1.0
• S.u.S.E. Linux Professional 9.1.0 x86_64
• S.u.S.E. Linux Professional 9.2.0
• S.u.S.E. Linux Professional 9.2.0 x86_64
• S.u.S.E. Linux Professional 9.3.0
• S.u.S.E. Linux Professional 9.3.0 x86_64
• S.u.S.E. UnitedLinux 1.0.0
• SGI ProPack 3.0.0 SP6
• Slackware Linux 10.0.0
• Slackware Linux 10.1.0
• Slackware Linux 10.2.0
• Slackware Linux 8.1.0
• Slackware Linux 9.0.0
• Slackware Linux 9.1.0
• Sun Solaris 10.0
• Sun Solaris 10.0_x86
• Sun Solaris 8
• Sun Solaris 8_x86
• Sun Solaris 9
• Sun Solaris 9_x86
• Trustix Secure Enterprise Linux 2.0.0
• Trustix Secure Linux 2.2.0
• Trustix Secure Linux 3.0.0
• Ubuntu Ubuntu Linux 4.1.0 ia32
• Ubuntu Ubuntu Linux 4.1.0 ia64
• Ubuntu Ubuntu Linux 4.1.0 ppc
• Ubuntu Ubuntu Linux 5.0.0 4 amd64
• Ubuntu Ubuntu Linux 5.0.0 4 i386
• Ubuntu Ubuntu Linux 5.0.0 4 powerpc
• Ubuntu Ubuntu Linux 5.10.0 amd64
• Ubuntu Ubuntu Linux 5.10.0 i386
• Ubuntu Ubuntu Linux 5.10.0 powerpc
• Xpdf Xpdf 3.0.0 0
• libpng libpng 1.0.15
• libpng libpng3 1.2.5

References:

• Apple: Apple Homepage
• Avaya: ASA-2006-158 - openssh security update (RHSA-2006-0044)
• Avaya: ASA-2006-174 - openssh security update (RHSA-2006-0298)
• Avaya: ASA-2006-262 - HP-UX Secure Shell Remote Denial of Service (HPSBUX02178)
• Avaya: ASA-2007-246 Security Vulnerability in scp(1) May Allow Execution of Unintended
• Avaya: ASA-2007-319 Security Vulnerability in the rcp(1) Command May Allow Execution of
• CVE: CVE-2006-0225
• HP: HPSBUX02178 SSRT061267 rev.1 - HP-UX Secure Shell Remote Denial of Service (DoS)
• IBM: Corrective Service Security FIX - MH00688 (PTF)
• IBM: Cumulative history and Readme for use with HMC V5 R2 and V5 R2.1
• OpenBSD: Bugzilla Bug 1094 - Local to local copy (and also remote to remote) uses shell e
• OpenBSD: OpenBSD Errata Page
• OpenBSD: OpenSSH Home Page
• Red Hat: RHSA-2006:0044-14 - openssh security update
• Red Hat: RHSA-2006:0298-4 - openssh security update
• RedHat: Bugzilla Bug 168167 – CVE-2006-0225 local to local copy uses shell expansion twi
• RedHat: RHSA-2006:0698-8 openssh security update
• Sun: Sun Alert ID 102961 - Security Vulnerability in scp(1) May Allow Execution of Un
• Sun: Sun Alert ID 102978 - Security Vulnerability in the rcp(1) Command May Allow Exe

Juniper Networks provides this content via a wide variety of sources and production methods. If notified of errors or omissions in the content of this page, Juniper Networks, at its discretion, will modify or remove the page or leave the content as is, depending on various factors including but not limited to the reputation and authority of the party providing the notification. Please use the contact information displayed elsewhere on this page to report any errors or omissions regarding the content on this page.