[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

improving security through cutting nc(1)?

Original *hobbit*'s netcat is known to contain some code providing '-e'
option, which means executing a program after making or receiving a
successful connection. In pair with option '-l' it can be used as simple
bindshell backdoor, for example

nc -lp 31337 -e /bin/sh

This piece of code activates during compiling netcat with
-DGAPING_SECURITY_HOLE and author strongly recommend to use it with great
care. OpenBSD version of this program does not contain this part at all.
I don't think that removing such useful option improved security,
because I can easy do the following:

$ cd /tmp
$ mknod shell.pipe p
$ nc -lp 31337 <shell.pipe |/bin/sh >shell.pipe &
[1] 27986 27672
$ telnet localhost 31337
Connected to localhost.
Escape character is '^]'.
uid=1000(grange) gid=0(wheel) groups=0(wheel)
: not foundtdin>[1]:

Connection closed by foreign host.
[1] + Done (1)             nc -lp 31337 < shell.pipe |
      Done (127)           /bin/sh > shell.pipe

and it will be the same as using '-e' option.
What do you think about putting this code back?

Best regards,
   Alexander Yurchenko
GRANGE-RIPN              mailto: grange@rt.mipt.ru