📜 ⬆️ ⬇️

CVE-2019-6111 and other scp vulnerabilities

TL; DR;


More recently (since about 1983), it turned out that OpenSSH, as the rsh heir, for the scp command (ex. Rcp) allows the server to choose which file and with which parameters to send you. And the output vulnerabilities allow you to hide exactly which file you were transferred.
That is, you ask file.txt, and get - exploit.bin
And there are no fixes yet, such are the cases. Use sftp or rsync.

Details



CVE-2019-6109


The scp client does not check for extra characters in the file name, which allows you to hide the real name of the file being transferred (for example, ASCII codes)

CVE-2019-6110


The scp client allows you to write to stderr and rewrite the data in the terminal, which allows you to hide the real name of the file being transferred (for example, ASCII codes).

CVE-2019-6111


The scp client does not check which file is sent to it and does not compare it with what it requested. Malicious server can upload to the client all that he wants, and with any mode.

Work example


$ rm -rf * $ ls -la итого 36 drwxr-xr-x 2 user user 4096 янв 25 15:11 . drwx------ 99 user user 28672 янв 25 14:23 .. $ scp test@localhost:x.txt . x.txt 100% 32 0.3KB/s 00:00 $ ./exploit.sh # откуда он взялся?! You're hacked. Sorry for that Please upgrade your OpenSSH client $

In this example (a slightly modified exploit from the link above), the exploit.sh file with 755 permissions is loaded along with x.txt, and the fact of the transfer is overwritten with stderr.

Vulnerable Clients


In short, that's all. OpenSSH including 7.9p1, putty, winscp <5.13.
Only WinSCP has fixes (5.14+)
Use sftp / rsync when working with untrusted servers.

Source: https://habr.com/ru/post/437508/

More articles: