| 1 | https://sintonen.fi/advisories/scp-client-multiple-vulnerabilities.txt |
| 2 | |
| 3 | Vulnerabilities |
| 4 | --------------- |
| 5 | |
| 6 | 1. CWE-20: scp client improper directory name validation [CVE-2018-20685] |
| 7 | |
| 8 | The scp client allows server to modify permissions of the target directory by using empty |
| 9 | ("D0777 0 \n") or dot ("D0777 0 .\n") directory name. |
| 10 | |
| 11 | |
| 12 | 2. CWE-20: scp client missing received object name validation [CVE-2019-6111] |
| 13 | |
| 14 | Due to the scp implementation being derived from 1983 rcp [1], the server chooses which |
| 15 | files/directories are sent to the client. However, scp client only perform cursory |
| 16 | validation of the object name returned (only directory traversal attacks are prevented). |
| 17 | A malicious scp server can overwrite arbitrary files in the scp client target directory. |
| 18 | If recursive operation (-r) is performed, the server can manipulate subdirectories |
| 19 | as well (for example overwrite .ssh/authorized_keys). |
| 20 | |
| 21 | The same vulnerability in WinSCP is known as CVE-2018-20684. |
| 22 | |
| 23 | |
| 24 | 3. CWE-451: scp client spoofing via object name [CVE-2019-6109] |
| 25 | |
| 26 | Due to missing character encoding in the progress display, the object name can be used |
| 27 | to manipulate the client output, for example to employ ANSI codes to hide additional |
| 28 | files being transferred. |
| 29 | |
| 30 | |
| 31 | 4. CWE-451: scp client spoofing via stderr [CVE-2019-6110] |
| 32 | |
| 33 | Due to accepting and displaying arbitrary stderr output from the scp server, a |
| 34 | malicious server can manipulate the client output, for example to employ ANSI codes |
| 35 | to hide additional files being transferred. |