1. Forum
  2. Usenet
  3. LINUX.DEBIAN.BUGS.DIST

  • Bug#265583: netcat: New `-c' option: like `-e'; uses /bin/sh -c to exec

    From Jan Minar@1:229/2 to All on Fri Aug 13 22:40:09 2004
    From: [email protected]

    --C7zPtVaVf+AK4Oqc
    Content-Type: text/plain; charset=us-ascii
    Content-Disposition: inline

    Package: netcat
    Version: 1.10-21
    Severity: wishlist
    Tags: patch

    Hi.

    I needed to execute commands with command-line arguments, so I added
    this functionality to nc(1). With a new `-c' option, we have the full
    shell grammar on the commandline, without a need for an external script. Unfortunately, it wasn't possible to overload the `-e' option, because
    the slight semantics difference would impose too much complexity on the
    users, IMO. See the patch for more detailed discussion.

    Please find the enclosed patch.


    -- System Information
    Debian Release: 3.0
    Architecture: i386
    Kernel: Linux kontryhel 2.4.26-jan #6 SMP Tue Jul 27 21:24:30 CEST 2004 i686 Locale: LANG=C, LC_CTYPE=cs_CZ.ISO-8859-2

    Versions of packages netcat depends on:
    ii libc6 2.2.5-11.5 GNU C Library: Shared libraries an

    --C7zPtVaVf+AK4Oqc
    Content-Type: text/plain; charset=us-ascii
    Content-Disposition: attachment; filename="patch-netcat-1.10-exec_using_sh" Content-Transfer-Encoding: quoted-printable

    --- netcat-1.10.ORIG/netcat.c 2004-08-13 14:29:28.000000000 +0000
    +++ netcat-1.10/netcat.c 2004-08-13 19:17:52.000000000 +0000
    @@ -592,6 +592,58 @@

    #ifdef GAPING_SECURITY_HOLE
    char * pr00gie = NULL; /* global ptr to -e arg */
    +int doexec_use_sh = 0; /* `-c' or `-e' option? */
    +
    +/*
    + * The old way, you must *not* quote $IFS characters in the filename, while
    + * the new way, you have to, of course. If you use nc -e with executables
    + * with $IFS in filenames, this change will break your programs.
    + * Unfortunately, we can not try the old way and then proceed with the new one + * only if it fails, as this would pose security risks if used in
    + * publicly-writable directories, such as in /tmp:
    + *
    + * $ cd /tmp
    + * $ cp /bin/date .
    + * $ cp /bin/date 'date -I'
    + * $ nc -lp31337 -e './date -I'
    + * # ``date -I'' gets executed, not ``date''
    + * $ cp /bin/date 'sh -c "date -I"'
    + * $ nc -lp31337 -e 'sh -c "date -I"'
    + * # ``sh -c "date -I"'' gets executed, not ``date''
    + * ... and