SoylentNews is people
SoylentNews
from the all-your-files-are-belong-to-us dept.
Oh, SSH, IT Please see This: Malicious Servers can Fsck With Your PC's Files During scp Slurps
A decades-old oversight in the design of Secure Copy Protocol (SCP) tools can be exploited by malicious servers to unexpectedly alter victims' files on their client machines, it has emerged.
F-Secure's Harry Sintonen discovered a set of five CVE-listed vulnerabilities, which can be abused by evil servers to overwrite arbitrary files on a computer connected via SCP. If you use a vulnerable version of OpenSSH's scp, PuTTY's PSCP, or WinSCP, to securely transfer files from a remote server, that server may be able to secretly tamper with files on your local box that you do not expect the server to change.
[...] Sintonen explained that because rcp, on which scp is based, allows a server to control which files are sent, and without the scp client thoroughly checking it's getting its expected objects, an attacker can do things like overwrite the user's .bash_aliases file. This, in turn, would allow the attacker to run arbitrary commands on the victim's box when the user does routine stuff, like list a directory.
"Many scp clients fail to verify if the objects returned by the scp server match those it asked for. This issue dates back to 1983 and rcp, on which scp is based," Sintonen explained in his disclosure this month.
"A separate flaw in the client allows the target directory attributes to be changed arbitrarily. Finally, two vulnerabilities in clients may allow server to spoof the client output."
The CVE (Common Vulnerabilities and Exposures) reports are:
- CVE-2018-20685
- CVE-2019-6111
- CVE-2018-20684
- CVE-2019-6109
- CVE-2019-6110
Only WinSCP seems to have released an update that fixes these.
(Score: 3, Informative) by MichaelDavidCrawford on Wednesday January 16 2019, @03:51AM (2 children)
$ chroot /tmp/ /usr/bin/scp -P 109 ~/Desktop/MixTapes.txt satori@warplife.com:.
That doesn't work on macOS Sierra I expect because of its kernel-level protection for vital files. I don't recall what it's called.
I expect it would work to mount a disk image that had some non-Apple filesystem then chroot to there.
For this to actually work, you'll need to copy /usr/bin/scp AND ALL ITS DEPENDENCIES to /Volumes/SmashTheState/. Setting all that up is somewhat tedious but not actuall difficult.
Now there _are_ ways to escape a chroot, but it's helpful of your chroot file tree does not have any shells are build tools. As well, the malware scp won't be expecting to be in chroot.
Not at first anyway.
I'll Send You My Bill In The Mail.
Yes I Have No Bananas. [gofundme.com]
(Score: 2) by MichaelDavidCrawford on Wednesday January 16 2019, @10:46AM
If I don't use sudo, I get operation not permitted. I _think_ that's perror()'s complaint about insufficient privileges.
_With_ chroot, I get "killed 9". If that's a linking problem, I figured I would have got some other signal, but really I don't know.
There's lots of HOWTOs on putting httpd in a jail, have a read of that on do all the same stuff for scp.
Yes I Have No Bananas. [gofundme.com]
(Score: 2) by MichaelDavidCrawford on Wednesday January 16 2019, @02:22PM
I _think_ it wasn't SIP giving me grief but that on macOS at least chroot must be run as root.
To disable SIP, boot into Recovery Mode - search for how - then give the command # csrutil disable then reboot normally.
I often disable SIP so I can test my unsigned drivers.
Yes I Have No Bananas. [gofundme.com]