[17005] in bugtraq
Re: rcp file transfer hole (was: scp file transfer hole)
daemon@ATHENA.MIT.EDU (Crist Clark)
Tue Oct 3 00:34:56 2000
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
Message-Id: <39D8C8D1.5917603C@globalstar.com>
Date: Mon, 2 Oct 2000 10:41:37 -0700
Reply-To: Crist Clark <crist.clark@GLOBALSTAR.COM>
From: Crist Clark <crist.clark@GLOBALSTAR.COM>
X-To: Markus Friedl <Markus.Friedl@INFORMATIK.UNI-ERLANGEN.DE>
To: BUGTRAQ@SECURITYFOCUS.COM
Markus Friedl wrote:
>
> On Sat, Sep 30, 2000 at 09:21:17PM +0200, Michal Zalewski wrote:
> > This issue appears quite often - tar suffers from problem of this kind as
> > well (using cute symlink tricks, you can create an archive, which, when
> > unpacked, can overwrite or create specific files anywhere in your
> > filesystem). This time, similar scp vulnerability has been found and
> > acknowledged in sshd 1.2.xx releases (no information on 2.0.xx).
>
> well, this is not a scp problem. it's a rcp problem. scp is nothing
> but the plain old rcp protocol over ssh instead of rsh, in the same
> way you can do 'cvs' or 'rsync' over ssh.
>
> so all secure-shell's derived from the original ssh-1.2.x releases
> suffer from this problem (including openssh). however, ssh-2.x uses a
> different protocol and is not vulnerable to this specific bug.
>
> how should this be fixed in a reasonable way? i don't think questions
> similar to "do you really want to create /bla/bla/bla? (yes/no)" would
> be useful.
Well, some of the more paranoid may think it is, and it seems like it is
the only reasonable solution to the "problem."
It does not seem like it would be some herculean effort (but note no patches
are attached) to make an ssh _option_ similar to,
$ /bin/cp -i file1 file2
The '-i' option commonly implemented on 'cp,' 'rm,' and 'mv.' The local
default of the option of could be configured on a per host basis in
~/.ssh/config and the globals ssh_config, and a command line option could
be added (but '-i' is already taken). Obviously, if it can be configured
in ~/.ssh/config, one can set root's default explicitly.
As for a workaround,
$ ssh remote-host "tar cf - <file or directory list>" > ssh_tmp.tar
$ tar tvf ssh_tmp.tar
[check for suspicious paths or files]
$ tar xf ssh_tmp.tar && rm ssh_tmp.tar
You can grab the files and check before you untar. (Actually, I tend to
do this over 'scp -r' since I also tend to use piped tar's in series
over 'cp -r.' Not sure how I got into that habit.)
Overall, I do not find this particularly frightening since I seldom log
onto untrusted machines and I rarely if ever use scp when I am a privileged
user. And if I were to worry about the risks of logging into a compromised
ssh server, I think there are bigger threats than a compromised scp like
X11 forwarding, stealing a password for the system, or crashing my pseudo-
terminal.
--
Crist J. Clark Network Security Engineer
crist.clark@globalstar.com Globalstar, L.P.
(408) 933-4387 FAX: (408) 933-4926
