(Sun Describes Workaround) OpenSSH scp Double Shell Character Expansion During Local-to-Local Copying May Let Local Users Gain Elevated Privileges in Certain Cases
|
|
SecurityTracker Alert ID: 1018213 |
|
SecurityTracker URL: http://securitytracker.com/id/1018213
|
|
CVE Reference:
CVE-2006-0225
(Links to External Site)
|
Updated: Jun 22 2007
|
Original Entry Date: Jun 11 2007
|
Impact:
Execution of arbitrary code via local system, User access via local system
|
Fix Available: Yes Vendor Confirmed: Yes
|
|
Description:
A vulnerability was reported in scp in OpenSSH. A local user may be able to obtain elevated privileges in certain cases.
When performing local-to-local copying functions, scp expands shell characters in the filename twice before making a system() call. A filename that contains specially crafted characters may cause arbitrary commands to be executed.
If scp is used to transfer untrusted files or directories, a local user may be able to cause arbitrary code to be executed with the privileges of the process running scp.
The original bug report is available at:
https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=174026
|
Impact:
A local user may be able to obtain elevated privileges in certain cases.
|
Solution:
Sun has issued the following fix for Solaris 10.
SPARC Platform
* Solaris 10 with patch 123324-03 or later
Sun is working on a fix for Solaris 9.
The Sun advisory is available at:
http://sunsolve.sun.com/search/document.do?assetkey=1-26-102961-1
|
Vendor URL: www.openssh.org/ (Links to External Site)
|
Cause:
State error
|
Underlying OS:
UNIX (Solaris - SunOS)
|
|
Message History:
This archive entry is a follow-up to the message listed below.
|
Source Message Contents
|
Date: Mon, 11 Jun 2007 16:15:43 -0400
Subject: Security Vulnerability in scp(1) May Allow Execution of Unintended Commands
|
http://sunsolve.sun.com/search/document.do?assetkey=1-26-102961-1
CVE-2006-0225
|
|
