CVE-2019-7283
Description
A malicious rsh server or MITM can overwrite arbitrary files on the rcp client due to insufficient validation of file names returned by the server.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
A malicious rsh server or MITM can overwrite arbitrary files on the rcp client due to insufficient validation of file names returned by the server.
Vulnerability
An issue exists in rcp in NetKit through version 0.17. The server selects which files or directories to send to the client, but the client performs only cursory validation of the object names returned. This allows a malicious rsh server or a Man-in-the-Middle attacker to overwrite arbitrary files in the target directory on the rcp client machine. The vulnerability is similar to CVE-2019-6111, which affects scp clients derived from rcp. The affected versions are NetKit rcp up to and including 0.17 [1].
Exploitation
The attacker must control the rsh server or be able to perform a Man-in-the-Middle attack on the connection. In the MITM scenario, the victim must accept a wrong host fingerprint. The attacker then provides a crafted directory or file name during the rcp protocol exchange. For example, a malicious server could send a file named "D0777 0 .\n" or use a directory traversal name to overwrite files like .bash_aliases in the victim's home directory. The extra file transfer can be hidden by sending ANSI control sequences via stderr [1].
Impact
A successful attack allows the attacker to write arbitrary files to the rcp client's target directory, potentially achieving code execution if files such as shell aliases or configuration files are overwritten. The attacker can also modify target directory permissions. The impact is arbitrary file write with the privilege level of the client user, potentially leading to full compromise of the client system [1].
Mitigation
As of the advisory date (2019-01-31), no official patch for NetKit rcp has been released. Users are advised to avoid using rcp and instead use more secure alternatives such as scp with proper validation (if patched) or sftp. The vulnerability is not known to be on the CISA KEV list. Administrators should treat rcp as an insecure protocol and disable or firewall rsh/rcp services [1].
AI Insight generated on May 26, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2- Range: <=0.17
Patches
0No patches discovered yet.
Vulnerability mechanics
Root cause
"Missing validation of received object names — the rcp/scp client trusts the server to return the requested filename and only checks for directory traversal, allowing the server to overwrite arbitrary files in the target directory."
Attack vector
An attacker controls the rcp/scp server (or is a Man-in-the-Middle who can spoof the server) and, when the victim runs an rcp/scp operation to retrieve a file, the server sends back a different object name than the one requested [ref_id=1]. The client only checks for directory traversal (e.g., "../" sequences) but does not verify that the returned filename matches the requested filename, so the server can overwrite any file in the target directory [ref_id=1]. If the recursive flag (-r) is used, the server can also manipulate subdirectories, for example overwriting ~/.ssh/authorized_keys [ref_id=1]. The advisory notes that a Man-in-the-Middle attack requires the victim to accept the wrong host fingerprint [ref_id=1].
Affected code
The advisory states the vulnerability is in the rcp implementation (dating back to 1983) on which scp is based, specifically in NetKit through version 0.17 [ref_id=1]. The flaw is in the client-side code that performs only "cursory validation of the object name returned" by the server — only directory traversal attacks are prevented, but arbitrary filenames within the target directory are not validated [ref_id=1].
What the fix does
The advisory recommends switching to sftp where possible, or applying the official OpenSSH patch for CVE-2019-6111 (commit 391ffc4b9d31fa1f4ad566499fef9176ff8a07dc) [ref_id=1]. An unofficial hardening patch (scp-name-validator.patch) is also provided, though the advisory warns it may cause issues if remote and local shells disagree on glob() pattern matching [ref_id=1]. For NetKit rcp specifically, no patch is mentioned in the advisory; the CVE description notes the issue exists in NetKit through 0.17.
Preconditions
- networkVictim must initiate an rcp/scp operation from a malicious server (or an attacker must be able to perform a Man-in-the-Middle attack on the connection)
- authFor MITM attack, the victim must accept the wrong host fingerprint
- configThe rcp/scp client must be a vulnerable version (NetKit through 0.17, or other affected clients listed in the advisory)
Generated on May 25, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
3- bugs.debian.org/920486mitrex_refsource_MISC
- lists.debian.org/debian-lts-announce/2021/11/msg00016.htmlmitremailing-listx_refsource_MLIST
- sintonen.fi/advisories/scp-client-multiple-vulnerabilities.txtmitrex_refsource_MISC
News mentions
0No linked articles in our index yet.