Threat Level: green Handler on Duty: Xavier Mertens

SANS ISC: OpenSSH scp Issue - Internet Security | DShield SANS ISC InfoSec Forums


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
OpenSSH scp Issue
Secunia has released an advisory here that addresses an issue with the use of the "system()" function in scp.  Because of this usage, certain special characters, that may be in the command line arguments to scp that are escaped on the command line, go through shell expansion twice and lose their special escape character.  This can cause what was initially a valid filename to now be interpreted as multiple filenames (pointing to non-existing files) or as additional commands (if the filename had included a semi-colon).

Additional details about the bug can be found from this Bugzilla post.

The latest version of OpenSSH, 4.2p1, is affected by this issue and a patch has not yet been made generally available.  Fedora has released updated RPMs for Fedora Core 4 that address this issue.  You can get more information about the Fedora updates here.

Here is an example from the Bugzilla post demonstrating the bug

Steps to Reproduce:
1. touch foo\ bar (the \ escapes the space embedded in the filename)
2. mkdir somedir
3. scp foo\ bar somedir

Expected Results:
No message, the file copied
Actual Results:
cp: cannot stat `foo': No such file or directory
cp: cannot stat `bar': No such file or directory




David

78 Posts

Sign Up for Free or Log In to start participating in the conversation!