what you don't know can hurt you
Home Files News &[SERVICES_TAB]About Contact Add New

SCP Server Verification Issues

SCP Server Verification Issues
Posted Jan 16, 2019
Authored by Harry Sintonen

Many scp clients fail to verify if the objects returned by the scp server match those it asked for. This issue dates back to 1983 and rcp, on which scp is based. A separate flaw in the client allows the target directory attributes to be changed arbitrarily. Finally, two vulnerabilities in clients may allow server to spoof the client output.

tags | advisory, spoof, vulnerability
advisories | CVE-2000-0992, CVE-2018-20684, CVE-2018-20685, CVE-2019-6109, CVE-2019-6110, CVE-2019-6111
SHA-256 | 7fa072fc8f371c8cc4668eb863810286b6651faaf3b8efdcdeee1bc7d0a40099

SCP Server Verification Issues

Change Mirror Download
scp client multiple vulnerabilities
===================================
The latest version of this advisory is available at:
https://sintonen.fi/advisories/scp-client-multiple-vulnerabilities.txt


Overview
--------

SCP clients from multiple vendors are susceptible to a malicious scp server performing
unauthorized changes to target directory and/or client output manipulation.


Description
-----------

Many scp clients fail to verify if the objects returned by the scp server match those
it asked for. This issue dates back to 1983 and rcp, on which scp is based. A separate
flaw in the client allows the target directory attributes to be changed arbitrarily.
Finally, two vulnerabilities in clients may allow server to spoof the client output.


Impact
------

Malicious scp server can write arbitrary files to scp target directory, change the
target directory permissions and to spoof the client output.


Details
-------

The discovered vulnerabilities, described in more detail below, enables the attack
described here in brief.

1. The attacker controlled server or Man-in-the-Middle(*) attack drops .bash_aliases
file to victim's home directory when the victim performs scp operation from the
server. The transfer of extra files is hidden by sending ANSI control sequences
via stderr. For example:

user@local:~$ scp user@remote:readme.txt .
readme.txt 100% 494 1.6KB/s 00:00
user@local:~$

2. Once the victim launches a new shell, the malicious commands in .bash_aliases get
executed.


*) Man-in-the-Middle attack does require the victim to accept the wrong host
fingerprint.


Vulnerabilities
---------------

1. CWE-20: scp client improper directory name validation [CVE-2018-20685]

The scp client allows server to modify permissions of the target directory by using empty
("D0777 0 \n") or dot ("D0777 0 .\n") directory name.


2. CWE-20: scp client missing received object name validation [CVE-2019-6111]

Due to the scp implementation being derived from 1983 rcp [1], the server chooses which
files/directories are sent to the client. However, scp client only perform cursory
validation of the object name returned (only directory traversal attacks are prevented).
A malicious scp server can overwrite arbitrary files in the scp client target directory.
If recursive operation (-r) is performed, the server can manipulate subdirectories
as well (for example overwrite .ssh/authorized_keys).

The same vulnerability in WinSCP is known as CVE-2018-20684.


3. CWE-451: scp client spoofing via object name [CVE-2019-6109]

Due to missing character encoding in the progress display, the object name can be used
to manipulate the client output, for example to employ ANSI codes to hide additional
files being transferred.


4. CWE-451: scp client spoofing via stderr [CVE-2019-6110]

Due to accepting and displaying arbitrary stderr output from the scp server, a
malicious server can manipulate the client output, for example to employ ANSI codes
to hide additional files being transferred.


Proof-of-Concept
----------------

Proof of concept malicious scp server will be released at a later date.


Vulnerable versions
-------------------

The following software packages have some or all vulnerabilities:

ver #1 #2 #3 #4
OpenSSH scp <=7.9 x x x x
PuTTY PSCP ? - - x x
WinSCP scp mode <=5.13 - x - -

Tectia SSH scpg3 is not affected since it exclusively uses sftp protocol.


Mitigation
----------

1. OpenSSH

1.1 Switch to sftp if possible

1.2 Alternatively apply the following patch to harden scp against most server-side
manipulation attempts: https://sintonen.fi/advisories/scp-name-validator.patch

NOTE: This patch may cause problems if the the remote and local shells don't
agree on the way glob() pattern matching works. YMMV.

2. PuTTY

2.1 No fix is available yet

3. WinSCP

3.1. Upgrade to WinSCP 5.14 or later



Similar or prior work
---------------------

1. CVE-2000-0992 - scp overwrites arbitrary files


References
----------

1. https://www.jeffgeerling.com/blog/brief-history-ssh-and-remote-access


Credits
-------

The vulnerability was discovered by Harry Sintonen / F-Secure Corporation.


Timeline
--------

2018.08.08 initial discovery of vulnerabilities #1 and #2
2018.08.09 reported vulnerabilities #1 and #2 to OpenSSH
2018.08.10 OpenSSH acknowledged the vulnerabilities
2018.08.14 discovered & reported vulnerability #3 to OpenSSH
2018.08.15 discovered & reported vulnerability #4 to OpenSSH
2018.08.30 reported PSCP vulnerabilities (#3 and #4) to PuTTY developers
2018.08.31 reported WinSCP vulnerability (#2) to WinSCP developers
2018.09.04 WinSCP developers reported the vulnerability #2 fixed
2018.11.12 requested a status update from OpenSSH
2018.11.16 OpenSSH fixed vulnerability #1
2019.01.07 requested a status update from OpenSSH
2019.01.08 requested CVE assignments from MITRE
2019.01.10 received CVE assignments from MITRE
2019.01.11 public disclosure of the advisory
2019.01.14 added a warning about the potential issues caused by the patch


Login or Register to add favorites

File Archive:

November 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Nov 1st
    30 Files
  • 2
    Nov 2nd
    0 Files
  • 3
    Nov 3rd
    0 Files
  • 4
    Nov 4th
    12 Files
  • 5
    Nov 5th
    44 Files
  • 6
    Nov 6th
    0 Files
  • 7
    Nov 7th
    0 Files
  • 8
    Nov 8th
    0 Files
  • 9
    Nov 9th
    0 Files
  • 10
    Nov 10th
    0 Files
  • 11
    Nov 11th
    0 Files
  • 12
    Nov 12th
    0 Files
  • 13
    Nov 13th
    0 Files
  • 14
    Nov 14th
    0 Files
  • 15
    Nov 15th
    0 Files
  • 16
    Nov 16th
    0 Files
  • 17
    Nov 17th
    0 Files
  • 18
    Nov 18th
    0 Files
  • 19
    Nov 19th
    0 Files
  • 20
    Nov 20th
    0 Files
  • 21
    Nov 21st
    0 Files
  • 22
    Nov 22nd
    0 Files
  • 23
    Nov 23rd
    0 Files
  • 24
    Nov 24th
    0 Files
  • 25
    Nov 25th
    0 Files
  • 26
    Nov 26th
    0 Files
  • 27
    Nov 27th
    0 Files
  • 28
    Nov 28th
    0 Files
  • 29
    Nov 29th
    0 Files
  • 30
    Nov 30th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2024 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close