1 | | https://sintonen.fi/advisories/scp-client-multiple-vulnerabilities.txt |
2 | | |
3 | | Vulnerabilities |
4 | | --------------- |
5 | | |
6 | | 1. CWE-20: scp client improper directory name validation [CVE-2018-20685] |
7 | | |
8 | | The scp client allows server to modify permissions of the target directory by using empty |
9 | | ("D0777 0 \n") or dot ("D0777 0 .\n") directory name. |
10 | | |
11 | | |
12 | | 2. CWE-20: scp client missing received object name validation [CVE-2019-6111] |
13 | | |
14 | | Due to the scp implementation being derived from 1983 rcp [1], the server chooses which |
15 | | files/directories are sent to the client. However, scp client only perform cursory |
16 | | validation of the object name returned (only directory traversal attacks are prevented). |
17 | | A malicious scp server can overwrite arbitrary files in the scp client target directory. |
18 | | If recursive operation (-r) is performed, the server can manipulate subdirectories |
19 | | as well (for example overwrite .ssh/authorized_keys). |
20 | | |
21 | | The same vulnerability in WinSCP is known as CVE-2018-20684. |
22 | | |
23 | | |
24 | | 3. CWE-451: scp client spoofing via object name [CVE-2019-6109] |
25 | | |
26 | | Due to missing character encoding in the progress display, the object name can be used |
27 | | to manipulate the client output, for example to employ ANSI codes to hide additional |
28 | | files being transferred. |
29 | | |
30 | | |
31 | | 4. CWE-451: scp client spoofing via stderr [CVE-2019-6110] |
32 | | |
33 | | Due to accepting and displaying arbitrary stderr output from the scp server, a |
34 | | malicious server can manipulate the client output, for example to employ ANSI codes |
35 | | to hide additional files being transferred. |