Which OS' are compiling `nc` with `-DGAPING_SECURITY_HOLE` ?

cjhanks · on June 4, 2019

Jeez, what's with the down votes? Look at the netcat documentation, that's what the configuration option for "-e" is called.

https://ps.uci.edu/~franklin/doc/netcat.html https://stackoverflow.com/questions/15351646/how-to-re-compi...

jontro · on June 4, 2019

How is it related to the vim vulnerability?

cjhanks · on June 4, 2019

That was the proof-of-concept they used.

deathanatos · on June 5, 2019

What's the gaping security hole there? My interpretation of the documentation is that -e PROG execs PROG with stdin/stdout set to the accepted socket. (I mean, it's possible to write a program that, if it receives any input on stdin, would rm -rf everything. But the error seems with the combination of the program and -e, and not -e? That is, -e isn't inherently dangerous? Or do we just not trust ourselves that much?)

cyphar · on June 5, 2019

-DGAPING_SECURITY_HOLE is how you have to compile nc in order to enable "-e" support. The gaping security hole is that it is literally RCE-as-a-feature -- yes, it's not as bad as "pass any text you get over this socket to a shell session" but it's still pretty bad.

FDSGSG · on June 5, 2019

There is no security hole, -e isn't pretty bad.

Bjartr · on June 5, 2019

He's not being facetious by saying -DGAPING_SECURITY_HOLE, that is literally the flag you need to set when compiling nc to use the -e flag.

https://android.googlesource.com/platform/external/netcat/+/...

FDSGSG · on June 10, 2019

I know that's the flag you need to set, but despite the name setting the flag does not introduce any kind of a security hole.

nebulous1 · on June 4, 2019

The -e option is pretty useful for security researchers, so it would be common enough for people trying the POC