Stories
Slash Boxes
Comments

SoylentNews is people

posted by chromas on Tuesday January 15 2019, @09:50PM   Printer-friendly
from the all-your-files-are-belong-to-us dept.

Oh, SSH, IT Please see This: Malicious Servers can Fsck With Your PC's Files During scp Slurps

A decades-old oversight in the design of Secure Copy Protocol (SCP) tools can be exploited by malicious servers to unexpectedly alter victims' files on their client machines, it has emerged.

F-Secure's Harry Sintonen discovered a set of five CVE-listed vulnerabilities, which can be abused by evil servers to overwrite arbitrary files on a computer connected via SCP. If you use a vulnerable version of OpenSSH's scp, PuTTY's PSCP, or WinSCP, to securely transfer files from a remote server, that server may be able to secretly tamper with files on your local box that you do not expect the server to change.

[...] Sintonen explained that because rcp, on which scp is based, allows a server to control which files are sent, and without the scp client thoroughly checking it's getting its expected objects, an attacker can do things like overwrite the user's .bash_aliases file. This, in turn, would allow the attacker to run arbitrary commands on the victim's box when the user does routine stuff, like list a directory.

"Many scp clients fail to verify if the objects returned by the scp server match those it asked for. This issue dates back to 1983 and rcp, on which scp is based," Sintonen explained in his disclosure this month.

"A separate flaw in the client allows the target directory attributes to be changed arbitrarily. Finally, two vulnerabilities in clients may allow server to spoof the client output."

The CVE (Common Vulnerabilities and Exposures) reports are:

  • CVE-2018-20685
  • CVE-2019-6111
  • CVE-2018-20684
  • CVE-2019-6109
  • CVE-2019-6110

Only WinSCP seems to have released an update that fixes these.


Original Submission

 
This discussion has been archived. No new comments can be posted.
Display Options Threshold/Breakthrough Mark All as Read Mark All as Unread
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.
  • (Score: 0) by Anonymous Coward on Wednesday January 16 2019, @12:40AM (2 children)

    by Anonymous Coward on Wednesday January 16 2019, @12:40AM (#787136)

    I think a friend (who was developing in the penumbra of ssh) showed me this vulnerability ~10 years ago. By him controlling the server, my client had unwanted files written to my disk when I used scp.

    I had always wanted to ask him when he was going to report it, but I guess he never did.

  • (Score: 0) by Anonymous Coward on Wednesday January 16 2019, @02:29PM (1 child)

    by Anonymous Coward on Wednesday January 16 2019, @02:29PM (#787374)

    I guess the moral of the story is if you know a vulnerability, you report it.

    • (Score: 0) by Anonymous Coward on Wednesday January 16 2019, @03:35PM

      by Anonymous Coward on Wednesday January 16 2019, @03:35PM (#787404)

      I didn't want to snatch it from him just for some stolen glory.