On Mon, 4 Nov 2019, David Newall wrote:> On 4/11/19 3:29 am, Demi M. Obenour wrote: > > I have not been able to get scp(1) to download a file with a newline > > in its name. I know that scp(1) requires that remote filenames be > > escaped for the shell, but that leads to protocol errors. > > I see something much worse: > > $ sudo sh > # echo "#!/bin/sh > touch /tmp/b-ran" > /tmp/b > # chmod a+x /tmp/b > # exit > $ touch a 'a > b' > $ rm -f abc /tmp/b-ran > $ scp localhost:'a > b' abc > a 100% 0 0.0KB/s > 00:00 > $ ls /tmp/b-ran > /tmp/b-ran > > Scp can be exploited to run commands, which I think is a problem.scp isn't being exploited, you're just running commands in your own remote shell and all interpretation happens there - scp never sees those characters. This "feature" dates back to rcp from 1981 (scp is rcp in a nicer pair of shoes) and isn't fixable without breaking scp's "protocol". -d
On 4/11/19 12:37 pm, Damien Miller wrote:> scp isn't being exploited, you're just running commands in your own > remote shell and all interpretation happens there - scp never sees > those characters.I already understood what was going on.? The issue is, scp promises to "cop[y] files between hosts on a network [using] ssh for data transfer." It does not promise to also execute arbitrary commands.? When a file copy program is used to execute arbitrary commands, that seems to almost be the definition of an exploit. The poor quality of command parsing (I mean, clumsy and awkward need to quote and escape characters, even though the shell has already given scp individual arguments) suggests why scp can be exploited in that manner.? Although scp is speaking to sshd, obviously somewhere along the line one of the components is translating that into a shell command line and thus losing the identity of arguments.? That's just awful, and I should have thought it was not at all necessary.? Am I missing something?
On Mon, 4 Nov 2019 at 14:07, David Newall <openssh at davidnewall.com> wrote:> [about scp] That's just awful, and I should have > thought it was not at all necessary. Am I missing something? >If you're saying that the scp protocol is an unfixable mess then the openssh team has been agreeing[0] with you for at least a decade and a half. We fix what we can, but some parts can't be fixed. [0] eg https://marc.info/?l=openssh-unix-dev&m=104157774216425&w=2 -- Darren Tucker (dtucker at dtucker.net) GPG key 11EAA6FA / A86E 3E07 5B19 5880 E860 37F4 9357 ECEF 11EA A6FA (new) Good judgement comes with experience. Unfortunately, the experience usually comes from bad judgement.