openssh bugs - Apr 2012 - [Bug 1998] New: Arbitrary command execution using SCP

https://bugzilla.mindrot.org/show_bug.cgi?id=1998

             Bug #: 1998
           Summary: Arbitrary command execution using SCP
    Classification: Unclassified
           Product: Portable OpenSSH
           Version: 5.8p1
          Platform: All
        OS/Version: Linux
            Status: NEW
          Severity: security
          Priority: P2
         Component: scp
        AssignedTo: unassigned-bugs at mindrot.org
        ReportedBy: vitja.makarov at gmail.com


Hi!

I'm not sure is that a bug or a future. Since SCP doesn't escape
filenames it's possible to execute an arbitrary command:

localhost:~$ scp 'mchome:foo;echo 123 > foo' /tmp/foo
scp: foo: No such file or directory
localhost:~$ scp 'mchome:foo;echo 123 > foo' /tmp/foo
foo                                                                    
            100%    4     0.0KB/s   00:00    
localhost:~$ cat /tmp/foo
123


I've traced it and it seems to me that scp is executing the following
command on remote side:

scp -f -- foo;echo 123 > foo

-- 
Configure bugmail: https://bugzilla.mindrot.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are watching the assignee of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=1998

Vitja Makarov <vitja.makarov at gmail.com> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |vitja.makarov at gmail.com

-- 
Configure bugmail: https://bugzilla.mindrot.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are watching the assignee of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=1998

Darren Tucker <dtucker at zip.com.au> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |dtucker at zip.com.au

--- Comment #1 from Darren Tucker <dtucker at zip.com.au> 2012-05-19
15:18:43 EST ---
the client side scp can't escape the filenames because it does not know
what shell is on the other end or what its quoting rules are (and
"fixing" this on the client side doesn't help security anyway).

the command gets run by the remote shell regardless of what the remote
scp does (you can delete scp from the remote side entirely and it'll
still happen).  If you want to prevent this, you need to enforce it in
the remote shell eg with a restricted shell of some type (scponly and
rssh are example I'm aware of, but I can't vouch for them).

-- 
Configure bugmail: https://bugzilla.mindrot.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.