| | 1 | https://sintonen.fi/advisories/scp-client-multiple-vulnerabilities.txt |
| | 2 | |
| | 3 | Vulnerabilities |
| | 4 | --------------- |
| | 5 | |
| | 6 | 1. CWE-20: scp client improper directory name validation [CVE-2018-20685] |
| | 7 | |
| | 8 | The scp client allows server to modify permissions of the target directory by using empty |
| | 9 | ("D0777 0 \n") or dot ("D0777 0 .\n") directory name. |
| | 10 | |
| | 11 | |
| | 12 | 2. CWE-20: scp client missing received object name validation [CVE-2019-6111] |
| | 13 | |
| | 14 | Due to the scp implementation being derived from 1983 rcp [1], the server chooses which |
| | 15 | files/directories are sent to the client. However, scp client only perform cursory |
| | 16 | validation of the object name returned (only directory traversal attacks are prevented). |
| | 17 | A malicious scp server can overwrite arbitrary files in the scp client target directory. |
| | 18 | If recursive operation (-r) is performed, the server can manipulate subdirectories |
| | 19 | as well (for example overwrite .ssh/authorized_keys). |
| | 20 | |
| | 21 | The same vulnerability in WinSCP is known as CVE-2018-20684. |
| | 22 | |
| | 23 | |
| | 24 | 3. CWE-451: scp client spoofing via object name [CVE-2019-6109] |
| | 25 | |
| | 26 | Due to missing character encoding in the progress display, the object name can be used |
| | 27 | to manipulate the client output, for example to employ ANSI codes to hide additional |
| | 28 | files being transferred. |
| | 29 | |
| | 30 | |
| | 31 | 4. CWE-451: scp client spoofing via stderr [CVE-2019-6110] |
| | 32 | |
| | 33 | Due to accepting and displaying arbitrary stderr output from the scp server, a |
| | 34 | malicious server can manipulate the client output, for example to employ ANSI codes |
| | 35 | to hide additional files being transferred. |
