OpenSSH scp Command Line Filename Processing Command Injection

2005-09-28T04:48:19
ID OSVDB:22692
Type osvdb
Reporter Josh Bressers()
Modified 2005-09-28T04:48:19

Description

Vulnerability Description

OpenSSH contains a flaw that may allow an attacker to execute arbitrary commands. The flaw is due to the way OpenSSH's scp utility handles file names during local-to-local copies. During the file name expansion, the utility does not properly sanitize filenames allowing a crafted file name with shell meta-characters. This can be used to trick a user into executing arbitrary commands under with a different set of (potentially higher) privileges.

Solution Description

Upgrade to version 4.3p1 or higher, as it has been reported to fix this vulnerability. An upgrade is required as there are no known workarounds.

Short Description

OpenSSH contains a flaw that may allow an attacker to execute arbitrary commands. The flaw is due to the way OpenSSH's scp utility handles file names during local-to-local copies. During the file name expansion, the utility does not properly sanitize filenames allowing a crafted file name with shell meta-characters. This can be used to trick a user into executing arbitrary commands under with a different set of (potentially higher) privileges.

References:

Vendor Specific News/Changelog Entry: http://bugs.gentoo.org/show_bug.cgi?id=119232 Vendor Specific News/Changelog Entry: https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=174026 Vendor Specific Advisory URL Vendor Specific Advisory URL Vendor Specific Advisory URL Vendor Specific Advisory URL Vendor Specific Advisory URL Vendor Specific Advisory URL Vendor Specific Advisory URL Vendor Specific Advisory URL Vendor Specific Advisory URL Vendor Specific Advisory URL Vendor Specific Advisory URL Vendor Specific Advisory URL Security Tracker: 1015540 Secunia Advisory ID:18964 Secunia Advisory ID:21129 Secunia Advisory ID:21492 Secunia Advisory ID:23340 Secunia Advisory ID:18595 Secunia Advisory ID:18969 Secunia Advisory ID:21724 Secunia Advisory ID:23241 Secunia Advisory ID:25607 Secunia Advisory ID:18650 Secunia Advisory ID:18736 Secunia Advisory ID:18798 Secunia Advisory ID:18850 Secunia Advisory ID:18910 Secunia Advisory ID:19159 Secunia Advisory ID:21262 Secunia Advisory ID:25936 Secunia Advisory ID:18579 Secunia Advisory ID:18970 Secunia Advisory ID:20723 Secunia Advisory ID:22196 Secunia Advisory ID:23680 RedHat RHSA: RHSA-2006:0298 RedHat RHSA: RHSA-2006:0698 RedHat RHSA: RHSA-2006:0044 Other Advisory URL: http://www.openbsd.org/errata.html#ssh Other Advisory URL: http://www.gentoo.org/security/en/glsa/glsa-200602-11.xml Other Advisory URL: http://support.avaya.com/elmodocs2/security/ASA-2007-246.htm Other Advisory URL: http://sunsolve.sun.com/search/document.do?assetkey=1-26-102961-1 Mail List Post: http://archives.neohapsis.com/archives/bugtraq/2006-12/0091.html Mail List Post: http://archives.neohapsis.com/archives/bugtraq/2006-12/0306.html ISS X-Force ID: 24305 FrSIRT Advisory: ADV-2006-4869 FrSIRT Advisory: ADV-2006-2490 FrSIRT Advisory: ADV-2006-0306 FrSIRT Advisory: ADV-2007-0930 CVE-2006-0225 Bugtraq ID: 16369