Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 119232

Summary: net-misc/{openssh|dropbear} metacharacter expansion in scp (CVE-2006-0225)
Product: Gentoo Security Reporter: Sune Kloppenborg Jeppesen <jaervosz>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: normal CC: frilled, matsuu, wolf31o2
Priority: High    
Version: unspecified   
Hardware: All   
OS: Linux   
URL: http://bugzilla.mindrot.org/show_bug.cgi?id=1094
Whiteboard: A3 [glsa] jaervosz
Package list:
Runtime testing required: ---

Description Sune Kloppenborg Jeppesen gentoo-dev 2006-01-16 14:20:39 UTC
Patch on referenced URL.

----

scp currently implements local-to-local copy by constructing a command line
using 'cp' in a string and then using system(). It has the problem that the file
name is exposed twice to shell expansion. The file name could contain characters
which need quoting, like $ or spaces. This second expansion must be avoided.

Steps to Reproduce:
1.touch foo\ bar
2.mkdir somedir
3.scp foo\ bar somedir
  
Actual results:
cp: cannot stat `foo': No such file or directory
cp: cannot stat `bar': No such file or directory

This can be even a security issue although with a fairly low severity:
bress@link:/tmp/josh% ls -l
total 4
drwxrwxr-x  2 bress bress 4096 Sep 19 14:51 a
-rw-rw-r--  1 bress bress    0 Sep 19 14:51 `touch feh`
bress@link:/tmp/josh% scp * a
cp: omitting directory `a'
cp: missing destination file
Try `cp --help' for more information.
zsh: exit 1     scp * a
bress@link:/tmp/josh% ls -l
total 4
drwxrwxr-x  2 bress bress 4096 Sep 19 14:51 a
-rw-rw-r--  1 bress bress    0 Sep 19 14:52 feh
-rw-rw-r--  1 bress bress    0 Sep 19 14:51 `touch feh`

Proposed solution: replace system() with fork+exec()
Comment 1 Sune Kloppenborg Jeppesen gentoo-dev 2006-01-16 23:29:45 UTC
AFAIR dropbear uses the same code for scp, vapier please advise.
Comment 2 Thierry Carrez (RETIRED) gentoo-dev 2006-01-18 06:48:21 UTC
Not sure this should be considered a bug. Sounds like a feature to me.
Comment 3 solar (RETIRED) gentoo-dev 2006-01-18 06:51:58 UTC
(In reply to comment #2)
> Not sure this should be considered a bug. Sounds like a feature to me.

This sounds like a feature to me also. I'd say we should wait on upstream and see if they move on it.

Comment 4 SpanKY gentoo-dev 2006-01-18 06:58:05 UTC
user isnt reporting that expansion is bad, he's reporting that it gets expanded twice ... which looks like a bug to me
Comment 5 Thierry Carrez (RETIRED) gentoo-dev 2006-01-18 07:14:16 UTC
OK, I'll rephrase. That doesn't sound like a vulnerability to me. More a buggy feature. Quoting Solar Designer: "Anyone passing untrusted input onto scp's command line is asking for trouble."
Comment 6 Thierry Carrez (RETIRED) gentoo-dev 2006-01-18 07:16:10 UTC
Also from vendor-sec, it appears to be the OpenSSH project position as well : not a vulnerability and scp can't be fixed.
Comment 7 Rajiv Aaron Manglani (RETIRED) gentoo-dev 2006-01-24 21:52:39 UTC
Secunia Advisory: SA18579

TITLE:
OpenSSH scp Command Line Shell Command Injection

SECUNIA ADVISORY ID:
SA18579

RELEASE DATE:
2006-01-24

VERIFY ADVISORY:
http://secunia.com/advisories/18579/

CRITICAL:
Not critical

WHERE:
Local system

IMPACT:
Privilege escalation

SOFTWARE:
OpenSSH 3.x
OpenSSH 4.x

DESCRIPTION:
Josh Bressers has reported a weakness in OpenSSH, which potentially can be exploited by malicious, local users to perform certain actions with escalated privileges.

The weakness is caused due to the insecure use of the "system()" function in scp when performing copy operations using filenames that are supplied by the user from the command line. This can be exploited to execute shell commands with privileges of the user running scp.

Successful exploitation requires that the user is e.g. tricked into using scp to copy a file with a specially crafted filename.

The weakness has been confirmed in version 4.2p1. Other versions may also be affected.

SOLUTION:
Do not use scp to copy files containing potentially malicious filenames.

Some Linux vendors have issued updated packages.

REPORTED BY CREDITS:
Josh Bressers

ORIGINAL ADVISORY:
Red Hat Bugzilla:
https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=174026

Secunia Advisory: SA18579
Comment 8 Rajiv Aaron Manglani (RETIRED) gentoo-dev 2006-01-24 21:53:51 UTC
fyi fedora patched their openssh: https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=168167
Comment 9 Sune Kloppenborg Jeppesen gentoo-dev 2006-01-25 13:22:30 UTC
base-system please advise.
Comment 10 SpanKY gentoo-dev 2006-01-25 14:38:41 UTC
as i said on irc, i think it's safe to just wait for upstream to either accept or reject the change
Comment 11 SpanKY gentoo-dev 2006-01-31 19:27:31 UTC
openssh 4.2p1-r1 in portage with patch from upstream cvs
Comment 12 Sune Kloppenborg Jeppesen gentoo-dev 2006-02-01 01:49:33 UTC
vapier, what about dropbear? afair it uses the same code for scp.
Comment 13 SpanKY gentoo-dev 2006-02-01 17:24:49 UTC
tweaked the patch to work with dropbear and added 0.47-r1
Comment 14 Sune Kloppenborg Jeppesen gentoo-dev 2006-02-01 22:46:00 UTC
Arches please test and mark stable.
Comment 15 Simon Stelling (RETIRED) gentoo-dev 2006-02-02 04:37:57 UTC
glad this got fixed, finally i can use bash completion again when scp'ing my mp3s from one box to another ;)

amd64 stable
Comment 16 Gustavo Zacarias (RETIRED) gentoo-dev 2006-02-02 09:45:20 UTC
sparc'em.
Comment 17 Mark Loeser (RETIRED) gentoo-dev 2006-02-02 11:24:46 UTC
x86 done
Comment 18 René Nussbaumer (RETIRED) gentoo-dev 2006-02-02 13:32:35 UTC
Stable on hppa
Comment 19 Jose Luis Rivero (yoswink) (RETIRED) gentoo-dev 2006-02-02 17:35:51 UTC
both stable on alpha.
Comment 20 Tobias Scherbaum (RETIRED) gentoo-dev 2006-02-03 10:23:54 UTC
dropbear marked ppc stable
Comment 21 Stefan Cornelius (RETIRED) gentoo-dev 2006-02-03 10:51:59 UTC
ready for glsa vote, i say yes.
Comment 22 Markus Rothe (RETIRED) gentoo-dev 2006-02-03 11:14:50 UTC
stable on ppc64
Comment 23 Sune Kloppenborg Jeppesen gentoo-dev 2006-02-03 11:27:32 UTC
I tend to vote YES.
Comment 24 Wolf Giesen (RETIRED) gentoo-dev 2006-02-13 04:00:39 UTC
It seems the "scponly" package is also affected (no wonder) ... somebody care to comment?
Comment 25 Tavis Ormandy (RETIRED) gentoo-dev 2006-02-13 07:16:28 UTC
Matsuu, you seem to be scponly maintainer, any comment regarding comment #24 ?
Comment 26 Joshua Kinard gentoo-dev 2006-02-19 11:13:43 UTC
mips stable on openssh & dropbear.
Comment 27 Thierry Carrez (RETIRED) gentoo-dev 2006-02-20 12:01:14 UTC
scponly looks OK to me. In all cases it would be a different bug/CVE since teh codebases are quite different. Please submit any evidence into a new bug.

Ready for GLSA
Comment 28 Thierry Carrez (RETIRED) gentoo-dev 2006-02-20 12:55:01 UTC
GLSA 200602-11