[16982] in bugtraq
Re: scp file transfer hole
daemon@ATHENA.MIT.EDU (stanislav shalunov)
Sun Oct 1 12:35:50 2000
Message-Id: <87em21kw78.fsf@cain.internet2.edu>
Date: Sun, 1 Oct 2000 00:43:39 -0400
Reply-To: stanislav shalunov <shalunov@INTERNET2.EDU>
From: stanislav shalunov <shalunov@INTERNET2.EDU>
X-To: Michal Zalewski <lcamtuf@TPI.PL>
To: BUGTRAQ@SECURITYFOCUS.COM
In-Reply-To: <Pine.LNX.4.10.10009302120460.852-100000@localhost>
Michal Zalewski <lcamtuf@TPI.PL> writes:
> When you are scp'ing files from remote machine to your local computer,
> modified scp service on the second endpoint can spoof legitimate scp data,
> overwriting arbitrary files.
OpenSSH-1.2.1 appears to create the file wherever you tell it to, but
refuses to set setuid bit on it.
That's not quite as bad as SSH 1.2 (which will even conveniently allow
setting arbitrary file mode), but you can still overwrite
~/.ssh/authorized_keys or similar files to the same effect, as you
point you.
Very disturbing--this is supposed to be security software.
--
Stanislav Shalunov <shalunov@internet2.edu> Internet Engineer, Internet2
A language that doesn't have everything is actually easier to program
in than some that do. -- Dennis M. Ritchie
