Bugtraq: Re: scp file transfer hole

Nmap Security Scanner

Intro

Ref Guide

Install Guide

Download

Changelog

Book

Docs
Security Lists

Bugtraq

Basics

More
Security Tools

More
Site News
Site Search:
Exploit World
Advertising
About/Contact
Credits
Sponsors:

Bugtraq mailing list archives

Re: scp file transfer hole

From: stanislav shalunov <shalunov () INTERNET2 EDU>
Date: Sun, 1 Oct 2000 00:43:39 -0400

Michal Zalewski <lcamtuf () TPI PL> writes:

When you are scp'ing files from remote machine to your local computer,
modified scp service on the second endpoint can spoof legitimate scp data,
overwriting arbitrary files.


OpenSSH-1.2.1 appears to create the file wherever you tell it to, but
refuses to set setuid bit on it.

That's not quite as bad as SSH 1.2 (which will even conveniently allow
setting arbitrary file mode), but you can still overwrite
~/.ssh/authorized_keys or similar files to the same effect, as you
point you.

Very disturbing--this is supposed to be security software.

--
Stanislav Shalunov <shalunov () internet2 edu>  Internet Engineer, Internet2

A language that doesn't have everything is actually easier to program
in than some that do.                            -- Dennis M. Ritchie

By Date By Thread

Current thread:

Re: scp file transfer hole stanislav shalunov (Oct 01)
- rcp file transfer hole (was: scp file transfer hole) Markus Friedl (Oct 02)
  - Re: rcp file transfer hole (was: scp file transfer hole) Crist Clark (Oct 02)
  - Re: rcp file transfer hole (was: scp file transfer hole) Jan Niehusmann (Oct 02)
    - Re: rcp file transfer hole (was: scp file transfer hole) Scott Gifford (Oct 03)
    - Re: rcp file transfer hole (was: scp file transfer hole) Peter J . Holzer (Oct 03)