SecurityTracker: (OpenBSD Issues Fix) OpenSSH scp Double Shell Character Expansion During Local-to-Local Copying May Let Local Users Gain Elevated Privileges in Certain Cases

	Keep Track of the Latest Vulnerabilities with SecurityTracker!

Home | View Topics | Search | Contact Us |

SecurityTracker
Archives

Sign Up for Your FREE Weekly SecurityTracker E-mail Alert Summary

Instant Alerts

Buy our Premium Vulnerability Notification Service to receive customized, instant alerts

Put SecurityTracker Vulnerability Alerts on Your Web Site -- It's Free!

Become a Partner and License Our Database or Notification Service

Report a Bug

Report a vulnerability that you have found to SecurityTracker
bugs
@
securitytracker.com

Category: Application (Security) > OpenSSH

Vendors: OpenSSH.org

(OpenBSD Issues Fix) OpenSSH scp Double Shell Character Expansion During Local-to-Local Copying May Let Local Users Gain Elevated Privileges in Certain Cases

SecurityTracker Alert ID: 1015614

SecurityTracker URL: http://securitytracker.com/id/1015614

CVE Reference: CVE-2006-0225 (Links to External Site)

Date: Feb 13 2006

Impact: Execution of arbitrary code via local system, User access via local system

Fix Available: Yes Vendor Confirmed: Yes

Description: A vulnerability was reported in scp in OpenSSH. A local user may be able to obtain elevated privileges in certain cases.

When performing local-to-local copying functions, scp expands shell characters in the filename twice before making a system() call. A filename that contains specially crafted characters may cause arbitrary commands to be executed.

If scp is used to transfer untrusted files or directories, a local user may be able to cause arbitrary code to be executed with the privileges of the process running scp.

The original bug report is available at:

https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=174026

Impact: A local user may be able to obtain elevated privileges in certain cases.

Solution: OpenBSD has issued a fix.

ftp://ftp.openbsd.org/pub/OpenBSD/patches/3.7/common/011_ssh.patch
ftp://ftp.openbsd.org/pub/OpenBSD/patches/3.8/common/005_ssh.patch

Vendor URL: www.openssh.org/ (Links to External Site)

Cause: State error

Underlying OS: UNIX (OpenBSD)

Message History: This archive entry is a follow-up to the message listed below.

OpenSSH scp Double Shell Character Expansion During Local-to-Local Copying May Let Local Users Gain Elevated Privileges in Certain Cases

Source Message Contents

Date: Mon, 13 Feb 2006 00:28:52 -0500
Subject: [none]


SECURITY FIX: February 12, 2006   all architecture
Josh Bressers has reported a weakness in OpenSSH caused due to the insecure use of the 
system(3) function in scp(1) when performing copy operations using filenames that are 
supplied by the user from the command line. This can be exploited to execute shell 
commands with privileges of the user running scp(1). 

ftp://ftp.openbsd.org/pub/OpenBSD/patches/3.7/common/011_ssh.patch
ftp://ftp.openbsd.org/pub/OpenBSD/patches/3.8/common/005_ssh.patch

Go to the Top of This SecurityTracker Archive Page

Home | View Topics | Search | Contact Us
Copyright 2012, SecurityGlobal.net LLC