Threat Level: green Handler on Duty: Xavier Mertens

SANS ISC: InfoSec Handlers Diary Blog InfoSec Handlers Diary Blog


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

OpenSSH scp Issue

Published: 2006-01-24
Last Updated: 2006-01-24 17:52:56 UTC
by David Goldsmith (Version: 1)
0 comment(s)
Secunia has released an advisory here that addresses an issue with the use of the "system()" function in scp.  Because of this usage, certain special characters, that may be in the command line arguments to scp that are escaped on the command line, go through shell expansion twice and lose their special escape character.  This can cause what was initially a valid filename to now be interpreted as multiple filenames (pointing to non-existing files) or as additional commands (if the filename had included a semi-colon).

Additional details about the bug can be found from this Bugzilla post.

The latest version of OpenSSH, 4.2p1, is affected by this issue and a patch has not yet been made generally available.  Fedora has released updated RPMs for Fedora Core 4 that address this issue.  You can get more information about the Fedora updates here.

Here is an example from the Bugzilla post demonstrating the bug

Steps to Reproduce:
1. touch foo\ bar (the \ escapes the space embedded in the filename)
2. mkdir somedir
3. scp foo\ bar somedir

Expected Results:
No message, the file copied
Actual Results:
cp: cannot stat `foo': No such file or directory
cp: cannot stat `bar': No such file or directory




Keywords:
0 comment(s)
Diary Archives