Vulnerabilities > CVE-2005-4532 - Local vulnerability in SCPOnly
Attack vector
LOCAL Attack complexity
LOW Privileges required
NONE Confidentiality impact
COMPLETE Integrity impact
COMPLETE Availability impact
COMPLETE Summary
scponlyc in scponly 4.1 and earlier, when the operating system supports LD_PRELOAD mechanisms, allows local users to execute arbitrary code with root privileges by creating a chroot directory in their home directory, hard linking to a system setuid application, and using a modified LD_PRELOAD to modify expected function calls in the setuid application.
Vulnerable Configurations
| Part | Description | Count |
|---|---|---|
| Application | 11 |
Nessus
NASL family Debian Local Security Checks NASL id DEBIAN_DSA-969.NASL description Max Vozeler discovered a vulnerability in scponly, a utility to restrict user commands to scp and sftp, that could lead to the execution of arbitrary commands as root. The system is only vulnerable if the program scponlyc is installed setuid root and if regular users have shell access to the machine. last seen 2020-06-01 modified 2020-06-02 plugin id 22835 published 2006-10-14 reporter This script is Copyright (C) 2006-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/22835 title Debian DSA-969-1 : scponly - design error NASL family Gentoo Local Security Checks NASL id GENTOO_GLSA-200512-17.NASL description The remote host is affected by the vulnerability described in GLSA-200512-17 (scponly: Multiple privilege escalation issues) Max Vozeler discovered that the scponlyc command allows users to chroot into arbitrary directories. Furthermore, Pekka Pessi reported that scponly insufficiently validates command-line parameters to a scp or rsync command. Impact : A local attacker could gain root privileges by chrooting into arbitrary directories containing hardlinks to setuid programs. A remote scponly user could also send malicious parameters to a scp or rsync command that would allow to escape the shell restrictions and execute arbitrary programs. Workaround : There is no known workaround at this time. last seen 2020-06-01 modified 2020-06-02 plugin id 20358 published 2005-12-30 reporter This script is Copyright (C) 2005-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/20358 title GLSA-200512-17 : scponly: Multiple privilege escalation issues
References
- http://secunia.com/advisories/18223
- http://secunia.com/advisories/18236
- http://secunia.com/advisories/18829
- http://sublimation.org/scponly/#relnotes
- http://www.debian.org/security/2006/dsa-969
- http://www.gentoo.org/security/en/glsa/glsa-200512-17.xml
- http://www.securityfocus.com/bid/16051
- https://exchange.xforce.ibmcloud.com/vulnerabilities/23874