COMMAND

    rz

SYSTEMS AFFECTED

    FreeBSD systems (and others?)

PROBLEM

    All existing versions of the  rz program (a program for  receiving
    files over serial lines  using the Z-Modem protocol)  are equipped
    with a feature  that allows the  sender of a  file to request  the
    execution of arbitrary commands on the receiver's side.  The  user
    using rz does not have any control over this feature.

    The workaround is to have rz never execute any command, and always
    pretend a successful execution.

    The rzsz  package is  an optional  port that  made be installed on
    some FreeBSD systems.  This  program is not installed by  default.
    Systems without this program are not vulnerable.

    rz allows "Trojan Horse" type attacks against unsuspecting  users.
    Since  the  rz  executable  does  not run with special privileges,
    the  vulnerability  is  limited   to  changes  in  the   operating
    environment that the user could willingly perform.

SOLUTION

    Disable  the  rz  program.   If  it  has  been installed, it would
    typically be found in /usr/local/bin.

        # chmod 000 /usr/local/bin/rz
        # ls -l /usr/local/bin/rz
          ----------  1 root  wheel  23203 Mar  4 23:12 	/usr/local/bin/rz