| 1 | | https://sintonen.fi/advisories/scp-client-multiple-vulnerabilities.txt |
| 2 | | |
| 3 | | Vulnerabilities |
| 4 | | --------------- |
| 5 | | |
| 6 | | 1. CWE-20: scp client improper directory name validation [CVE-2018-20685] |
| 7 | | |
| 8 | | The scp client allows server to modify permissions of the target directory by using empty |
| 9 | | ("D0777 0 \n") or dot ("D0777 0 .\n") directory name. |
| 10 | | |
| 11 | | |
| 12 | | 2. CWE-20: scp client missing received object name validation [CVE-2019-6111] |
| 13 | | |
| 14 | | Due to the scp implementation being derived from 1983 rcp [1], the server chooses which |
| 15 | | files/directories are sent to the client. However, scp client only perform cursory |
| 16 | | validation of the object name returned (only directory traversal attacks are prevented). |
| 17 | | A malicious scp server can overwrite arbitrary files in the scp client target directory. |
| 18 | | If recursive operation (-r) is performed, the server can manipulate subdirectories |
| 19 | | as well (for example overwrite .ssh/authorized_keys). |
| 20 | | |
| 21 | | The same vulnerability in WinSCP is known as CVE-2018-20684. |
| 22 | | |
| 23 | | |
| 24 | | 3. CWE-451: scp client spoofing via object name [CVE-2019-6109] |
| 25 | | |
| 26 | | Due to missing character encoding in the progress display, the object name can be used |
| 27 | | to manipulate the client output, for example to employ ANSI codes to hide additional |
| 28 | | files being transferred. |
| 29 | | |
| 30 | | |
| 31 | | 4. CWE-451: scp client spoofing via stderr [CVE-2019-6110] |
| 32 | | |
| 33 | | Due to accepting and displaying arbitrary stderr output from the scp server, a |
| 34 | | malicious server can manipulate the client output, for example to employ ANSI codes |
| 35 | | to hide additional files being transferred. |
