Bugtraq mailing list archives
Re: scp file transfer hole
From: stanislav shalunov <shalunov () INTERNET2 EDU>
Date: Sun, 1 Oct 2000 00:43:39 -0400
Michal Zalewski <lcamtuf () TPI PL> writes:
When you are scp'ing files from remote machine to your local computer, modified scp service on the second endpoint can spoof legitimate scp data, overwriting arbitrary files.
OpenSSH-1.2.1 appears to create the file wherever you tell it to, but refuses to set setuid bit on it. That's not quite as bad as SSH 1.2 (which will even conveniently allow setting arbitrary file mode), but you can still overwrite ~/.ssh/authorized_keys or similar files to the same effect, as you point you. Very disturbing--this is supposed to be security software. -- Stanislav Shalunov <shalunov () internet2 edu> Internet Engineer, Internet2 A language that doesn't have everything is actually easier to program in than some that do. -- Dennis M. Ritchie
Current thread:
- Re: scp file transfer hole stanislav shalunov (Oct 01)
- rcp file transfer hole (was: scp file transfer hole) Markus Friedl (Oct 02)
- Re: rcp file transfer hole (was: scp file transfer hole) Crist Clark (Oct 02)
- Re: rcp file transfer hole (was: scp file transfer hole) Jan Niehusmann (Oct 02)
- Re: rcp file transfer hole (was: scp file transfer hole) Scott Gifford (Oct 03)
- Re: rcp file transfer hole (was: scp file transfer hole) Peter J . Holzer (Oct 03)
- Re: rcp file transfer hole (was: scp file transfer hole) stanislav shalunov (Oct 03)
- <Possible follow-ups>
- Re: scp file transfer hole Craig Ruefenacht (Oct 02)
- rcp file transfer hole (was: scp file transfer hole) Markus Friedl (Oct 02)