netcat -e: the GAPING_SECURITY_HOLE

security bsd netcat

While I've no definitive answer, I believe the gaping security hole is only present if your nc has -e enabled and is setuid root. (As nc is often used to bind to ports, it might be packaged setuid root to enable all users to bind on the privileged ports below 1024.)

In that situation, nc -e would exec the given process as root - which means it would let any user run any process as root. I'm sure you'll recognise that this is a gaping security hole. By contrast, if you run your own process and use pipes to connect it to nc, that process does not run as root unless you have some other way to elevate it (like sudo access).

As grawity pointed out, netcat's original release announcement complained that

the commercial vendors would have likely packaged [netcat] setuid root and with -DGAPING_SECURITY_HOLE turned on but not documented.

This lends weight to my theory, I think. :)


from the original release announcement:

Obligatory vendor-bash: If "nc" had become a standard utility years ago, the commercial vendors would have likely packaged it setuid root and with -DGAPING_SECURITY_HOLE turned on but not documented. It is hoped that netcat will aid people in finding and fixing the no-brainer holes of this sort that keep appearing, by allowing easier experimentation with the "bare metal" of the network layer.

Not that it makes anything clearer...

Related

running tar completely locks up mysql
Recover a MySQL database with only bin-log file
Best Practices: AWS EC2 Private Keys
How to configure mirror/span port on vSwitch?
Mount to NFS export of autofs mount shows empty contents
Backup ZFS snapshots to tape (both full and diff)
DOS attack "slow post" : How to prevent in IIS
Syntax of certutil.exe?
SSH closes connection when key is accepted
Linux: How to find out whether NIC is causing a bottleneck?
Is a user automatically part of a group of the same name?
OpenVPN server running on openvz. How to write iptables rule without masquerade?